fix(ci): resolve provenance workflow setup-script argument parsing

The provenance workflow was incorrectly passing shell operators (&&) and
subsequent commands as literal string arguments, causing argument parsing
issues similar to socket-sdk-js.

Changes:
- Add scripts/ci-validate.mjs to orchestrate test, check, and build steps
- Add ci:validate script to package.json calling the new validation script
- Update provenance workflow setup-script from inline shell commands to
  'pnpm run ci:validate'

This follows the Socket project pattern where setup-script calls a
package.json script that invokes a .mjs file, avoiding shell operators in
YAML and preventing argument parsing issues.

Author: jdalton

.github/workflows/provenance.yml

@@ -32,5 +32,5 @@ jobs:
       dist-tag: ${{ inputs.dist-tag }}
       package-name: '@socketregistry/packageurl-js'
       publish-script: 'publish:ci'
-      setup-script: 'pnpm test && pnpm check && pnpm build'
+      setup-script: 'pnpm run ci:validate'
       use-trusted-publishing: true

package.json

@@ -42,6 +42,7 @@
     "build": "node scripts/build.mjs",
     "bump": "node scripts/bump.mjs",
     "check": "node scripts/check.mjs",
+    "ci:validate": "node scripts/ci-validate.mjs",
     "clean": "node scripts/clean.mjs",
     "cover": "node scripts/cover.mjs",
     "fix": "node scripts/fix.mjs",

scripts/ci-validate.mjs

@@ -0,0 +1,78 @@
+/**
+ * @fileoverview CI validation script for publishing workflow.
+ * Runs test, check, and build steps in sequence.
+ */
+
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import { spawn } from '@socketsecurity/lib/spawn'
+import { printHeader } from '@socketsecurity/lib/stdio/header'
+
+const logger = getDefaultLogger()
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+const rootPath = path.resolve(__dirname, '..')
+
+async function runCommand(command, args = []) {
+  return new Promise((resolve, reject) => {
+    const spawnPromise = spawn(command, args, {
+      cwd: rootPath,
+      stdio: 'inherit',
+    })
+
+    const child = spawnPromise.process
+
+    child.on('exit', code => {
+      resolve(code || 0)
+    })
+
+    child.on('error', error => {
+      reject(error)
+    })
+  })
+}
+
+async function main() {
+  try {
+    printHeader('CI Validation')
+
+    // Run tests
+    logger.step('Running tests')
+    let exitCode = await runCommand('pnpm', ['test', '--all'])
+    if (exitCode !== 0) {
+      logger.error('Tests failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Tests passed')
+
+    // Run checks
+    logger.step('Running checks')
+    exitCode = await runCommand('pnpm', ['check', '--all'])
+    if (exitCode !== 0) {
+      logger.error('Checks failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Checks passed')
+
+    // Run build
+    logger.step('Building project')
+    exitCode = await runCommand('pnpm', ['build'])
+    if (exitCode !== 0) {
+      logger.error('Build failed')
+      process.exitCode = exitCode
+      return
+    }
+    logger.success('Build completed')
+
+    logger.success('CI validation completed successfully!')
+  } catch (error) {
+    logger.error(`CI validation failed: ${error.message}`)
+    process.exitCode = 1
+  }
+}
+
+main()