[GHA] Add installer workflow to test installer generation

[Copilot]

Adds GitHub Actions workflow to validate installer script generation as described in the README section "Generate Installer Script for The Combine".

Workflow Structure

• Triggers: push and pull_request on master
• Permissions: contents: read (minimal)
• Jobs:
  • make_installer: Tests both network (--net-install) and offline (latest release) installer generation with --debug
  • make_readme: Generates installer PDF documentation via pandoc/weasyprint

Security

Both jobs use Harden Runner with egress-policy: block and allowed endpoints configured.

Release Version Handling

The workflow dynamically fetches the latest release version using git describe --tags --abbrev=0:

- name: Make installer with release version
  run: |
    cd installer
    ./make-combine-installer.sh $(git describe --tags --abbrev=0) --debug

The checkout step includes fetch-depth: 0 to ensure all tags are available. This ensures the workflow always tests against the current release without requiring manual updates or GitHub API access.

• Fixes [GHA] Create workflow that tests the installer #4019

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[GHA] Create workflow that tests the installer</issue_title>
<issue_description>We want a GitHub Action workflow that covers the things in https://github.com/sillsdev/TheCombine?tab=readme-ov-file#generate-installer-script-for-the-combine-linux-only

In the style of other files in .github/workflows/, create a new installer.yml that:

• Runs on both "push" and "pull_request" on master
• Has the minimal necessary permissions
• runs-on: ubuntu-latest
• Has two jobs, one for making the installer and one for making the readme
• Each job has a "Harden Runner" step with egress-policy: audit (will change to block later, after the check runs and the audit gives the necessary endpoints)
• The installer job will have two different make steps, one with --net-install and one with the most recent release version; both steps should use --debug</issue_description>

<agent_instructions>Commit messages should satisfy .github/workflows/commit_message_check.yml</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [GHA] Create workflow that tests the installer #4019

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

This change is 

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.58%. Comparing base (a54e777) to head (b134973).
⚠️ Report is 20 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4020   +/-   ##
=======================================
  Coverage   74.58%   74.58%           
=======================================
  Files         293      293           
  Lines       10817    10817           
  Branches     1353     1353           
=======================================
  Hits         8068     8068           
  Misses       2354     2354           
  Partials      395      395           

Flag	Coverage Δ
backend	85.45% <ø> (ø)
frontend	66.23% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[imnasnainaec]

@copilot

[jasonleenaylor]

@jasonleenaylor reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @imnasnainaec)

[imnasnainaec]

@imnasnainaec reviewed all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @imnasnainaec)