fix(ci): Replace npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk.

[junhaoliao]

Description

All CI workflows install the Task runner via npm install -g @go-task/cli. @go-task/cli declares
a transitive dependency on axios: ^1.8.2, and because global npm installs have no lock file, npm
resolves to whatever the latest semver-compatible version is at install time. During the
axios supply-chain compromise on 2026-03-31, this caused CI runners to pull in the
malicious axios@1.14.1 package, which executed a post-install script that connected to an
attacker-controlled C2 server.

This PR replaces all occurrences of npm install -g @go-task/cli with the official
go-task/setup-task GitHub Action, pinned by commit SHA. The action downloads the Task
binary directly from GitHub Releases without involving npm, eliminating the transitive dependency on
axios and the broader npm supply-chain attack surface.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

1. Verified that no npm install -g commands remain in any workflow file.
2. Confirmed the pinned commit SHA 3be4020d41929789a01026e0e427a4321ce0ad44 corresponds to
   go-task/setup-task v2.0.0.

Summary by CodeRabbit

• Chores
  • Enhanced continuous integration and deployment infrastructure by updating workflow configurations to use more reliable tool installation mechanisms, ensuring consistent and efficient builds, linting, and test execution across all pipeline stages.

[coderabbitai]

Walkthrough

The pull request updates three GitHub Actions workflow files to replace npm-based Task CLI installation with the dedicated go-task/setup-task GitHub Action. The target Task CLI version remains 3.48.0, provided via the action's version input parameter instead of an npm install command.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/docs.yaml, .github/workflows/lint.yaml, .github/workflows/test.yaml	Replaced Task CLI installation from npm install -g @go-task/cli@3.48.0 with go-task/setup-task GitHub Action (pinned to commit 3be4020d41929789a01026e0e427a4321ce0ad44), passing version 3.48.0 via the action's with.version input.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately summarizes the main change: replacing npm-based installation of Task CLI with a GitHub Action to eliminate supply-chain risk, which directly matches the changeset across all three workflow files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Bill-hbrhbr]

Need to use reusable github action.