ci: use npm ci with caching in all CI workflows

[ericpgreen2]

Following the axios supply chain attack (PR #9148 pinned the affected package), this hardens all CI workflows against future npm supply chain attacks.

• Switch npm install → npm ci in all 6 workflows that install npm dependencies (including scripts/web-test-code-quality.sh)
• Add cache: 'npm' to all actions/setup-node@v4 steps

Why npm ci: Installs exactly from package-lock.json, never resolves new versions from the registry, and fails if the lockfile is out of sync with package.json. Even if a malicious version is published within a dependency's semver range, CI will only install what's in the committed lockfile.

Why caching: actions/setup-node caches ~/.npm (npm's tarball cache) between runs, keyed by the lockfile hash. Packages are read from cache instead of re-downloaded from the registry. Typically cuts install time 50-70% on cache hits.

Checklist:

• Covered by tests
• Ran it and it works as intended
• Reviewed the diff before requesting a review
• Checked for unhandled edge cases
• Linked the issues it closes
• Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
• Intend to cherry-pick into the release branch
• I'm proud of this work!

---

Developed in collaboration with Claude Code