ci: clear v0.1.9 release PR's audit + prettier failures

[mrdulasolutions]

Summary

The v0.1.9 release PR (#20) shipped with two non-gating CI failures. This PR clears both so the next release is green.

• Security Audit — posthog-js pulls in @opentelemetry/exporter-logs-otlp-http → @opentelemetry/otlp-transformer, which depends on protobufjs ^7.3.0. That resolved to 7.5.5, which is affected by the GHSA-66ff-xgx4-vchm family of high-severity advisories (all fixed in 7.5.6). No OpenTelemetry release advances the floor yet, so this adds an npm overrides entry forcing the whole tree onto protobufjs ^7.5.8 (latest 7.x).
• Prettier — SetupWizard.tsx had two lines past print-width after the notification-permission step landed in feat(onboarding): add notification permission step to setup wizard #19. Re-ran prettier --write on the file.

After the change locally:

npm audit --omit=dev --audit-level=high   →  found 0 vulnerabilities
npm run format:check                       →  All matched files use Prettier code style!
npm run lint                               →  0 errors, 5 warnings (unchanged)
npm run typecheck                          →  clean

The lockfile diff also reflects the version: "0.1.8" → "0.1.9" bump that #20 missed, plus a couple of @protobufjs/* sub-packages that float along with protobufjs itself.

Test plan

• CI's Security Audit job goes green
• CI's Lint & Format job goes green
• Type Check stays green

🤖 Generated with Claude Code

[mrdulasolutions]

Two more findings while looking at why the v0.1.9 draft release was missing .sig + latest.json. Added both fixes to this PR.

Root cause of the missing updater pair

bundle.createUpdaterArtifacts defaults to false in Tauri 2's config schema (tauri-utils/src/config.rs):

impl Default for Updater {
  fn default() -> Self {
    Self::Bool(false)
  }
}

Our tauri.conf.json never set it. So tauri-bundler only emitted .app + .dmg, never the updater .app.tar.gz + .app.tar.gz.sig pair. tauri-action then re-tarred the .app directory itself (unsigned), and its upload step bailed with Signature not found for the updater JSON. Skipping upload....

The plugins.updater.active: true flag in tauri.conf.json is the client-side plugin enablement (gets compiled into the .app, controls auto-update behavior at runtime). bundle.createUpdaterArtifacts: true is the separate build-side flag that tells the bundler to produce the artifacts to upload. We had only the first.

Same bug hit v0.1.6, v0.1.7, v0.1.8, v0.1.9 — every release since v0.1.5. v0.1.7/v0.1.8 shipped because someone manually uploaded the missing files (e.g., v0.1.8's .sig + latest.json were uploaded 17 hours after the workflow finished, per the release asset created_at).

x86_64 leg removed

The Intel matrix leg has not landed a release artifact since v0.1.6:

Release	aarch64	x86_64
v0.1.7	shipped (manual sig upload)	not in release
v0.1.8	shipped (manual sig upload)	not in release
v0.1.9	shipped (no sig, this PR)	queued 37+ min, cancelled

GitHub's macos-13 runners are deprecated and consistently queue past timeout-minutes: 75. Re-add when there's a stable Intel runner option or when self-hosted is on the table.

Verification plan after merge

1. Delete the v0.1.9 tag + draft release
2. Re-tag v0.1.9
3. Confirm the release ends up with all four assets:
   • AOS.Mail_0.1.9_aarch64.dmg
   • AOS.Mail_aarch64.app.tar.gz
   • AOS.Mail_aarch64.app.tar.gz.sig
   • latest.json