Add workflow to auto-regenerate pnpm-lock.yaml for Dependabot PRs

Dependabot sometimes fails to update the lockfile in pnpm workspace
setups, causing CI to fail with frozen-lockfile errors (see PR #308).

This workflow detects Dependabot PRs, runs pnpm install to regenerate
the lockfile, and commits it back. Uses a GitHub App token so that
subsequent CI runs are triggered automatically.

Author: umair-ably

.github/workflows/dependabot-lockfile.yml

@@ -0,0 +1,51 @@
+name: Fix Dependabot Lockfile
+
+on:
+  pull_request_target:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: read
+
+jobs:
+  fix-lockfile:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    timeout-minutes: 10
+
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.CLAUDE_APP_ID }}
+          private-key: ${{ secrets.CLAUDE_APP_PRIVATE_KEY }}
+
+      - name: Checkout Dependabot branch
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v5
+        with:
+          version: 10
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "22.x"
+
+      - name: Regenerate lockfile
+        run: pnpm install --no-frozen-lockfile
+
+      - name: Commit and push if lockfile changed
+        run: |
+          git diff --exit-code pnpm-lock.yaml && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add pnpm-lock.yaml
+          git commit -m "fix(deps): regenerate pnpm-lock.yaml"
+          git push