Composite action: setup-node + install + build (monorepo-aware)

[mabry1985]

Why

Almost every workflow step in our internal repos starts with the same 3-5 actions:

- uses: actions/checkout@<sha>
- uses: actions/setup-node@<sha>
  with: { node-version: '22', cache: 'npm' }
- run: npm ci
- run: npm run build:packages  # only in monorepos

The exact action SHAs drift between repos (we pin to commit SHAs for supply-chain safety, so every dependabot bump only touches one repo at a time). The build step is monorepo-specific. Every workflow that needs a built workspace duplicates this block.

What

Add a composite action at protoLabsAI/release-tools/setup (or a subdir):

- uses: protoLabsAI/release-tools/actions/setup@v1
  with:
    node-version: '22'
    install: true       # default true, runs `npm ci`
    build-packages: false  # default false, runs `npm run build:packages` if true

The composite action would internally pin the latest-known-good action SHAs for checkout and setup-node. Consumers get supply-chain safety + a single dependabot bump (in release-tools) that propagates everywhere they uses: it.

Inputs (draft)

Input	Default	Notes
node-version	'22'
install	true	runs npm ci
install-command	'npm ci'	override
build-packages	false	runs npm run build:packages if true
fetch-depth	1	passed to checkout

Reference

Currently most repos have a hand-rolled setup-project composite (e.g. protoMaker .github/actions/setup-project). Centralizing in release-tools means one source of truth across the org.

Filed off the back of protoMaker#3650.