ci: add Socket Fix autopilot

[Larry-Osakwe]

Summary

• Adds `socket-fix.yml` — runs Socket Fix in autopilot mode twice weekly (Mon + Thu), with `workflow_dispatch` for manual runs
• Uses the GH App token (same `GH_REPO_ACCESS_APP_ID`/`GH_REPO_ACCESS_PRIVATE_KEY` already wired up for the bump workflow) so no new long-lived credentials are needed
• Passes the generated token as `SOCKET_CLI_GITHUB_TOKEN` — Socket opens fix PRs as the app identity, which ensures `pr.yml` CI checks run on those PRs and auto-merge can trigger
• Exempts bot-opened PRs from conventional commit validation in `pr.yml` (one-line `if` condition on `validate-commits` job) — Socket's dependency upgrade commits won't follow conventional format and shouldn't need to

New secret needed

`SOCKET_API_TOKEN` — Socket's API key, needs to be added to this repo.

How it fits the release process

Socket fix PRs flow through the same auto-merge pipeline as bump PRs. No special cases.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​actions/​setup-node@​49933ea5288caeca8642d1e84afbd3f7d6820020

View full report