ci: add conditional lockfile validation based on PR label

- Add label-based check to allow lockfile changes in specific PRs
- Use 'allow-lockfile-changes' label to bypass hardened mode
- Maintains strict lockfile validation for regular PRs
- Keep hardened mode enabled by default for security

Author: sudokoi

.github/workflows/ci.yml

@@ -46,9 +46,26 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-node-modules-
 
-      - name: 📥 Install dependencies
+      - name: 🔍 Check if PR allows lockfile changes
+        id: check-label
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const labels = context.payload.pull_request.labels.map(l => l.name);
+            const allowLockfile = labels.includes('allow-lockfile-changes');
+            console.log(`PR labels: ${labels.join(', ')}`);
+            console.log(`Allow lockfile changes: ${allowLockfile}`);
+            core.setOutput('allow', allowLockfile ? 'true' : 'false');
+
+      - name: 📥 Install dependencies (with lockfile validation)
+        if: steps.check-label.outputs.allow != 'true'
         run: yarn install --immutable
 
+      - name: 📥 Install dependencies (allow lockfile changes)
+        if: steps.check-label.outputs.allow == 'true'
+        run: yarn install
+
       - name: 🎨 Check formatting
         run: yarn format:check