build(frontend-builder): use pnpm consistently (drop npx/npm install -g)

The image is built around corepack-activated pnpm@10.15.0 but two
install commands were still using npm/npx, which:
- Ignores the pnpm store and creates a separate npm cache (~/.npm)
- Inconsistent with the rest of the image

Replace:
- `npm install -g @bufbuild/protoc-gen-es@X` → `pnpm add -g @bufbuild/protoc-gen-es@X`
- `npx --yes playwright@X install chromium` → `pnpm dlx playwright@X install chromium`

`pnpm add -g` requires PNPM_HOME on PATH (pnpm's interactive `pnpm
setup` does this; we do it explicitly):
  ENV PNPM_HOME=/root/.local/share/pnpm
  ENV PATH="${PNPM_HOME}:${PATH}"

`pnpm dlx` is a transient install — fetches the package into the
store, runs the install command, leaves only the browser binary at
$PLAYWRIGHT_BROWSERS_PATH (which is what we actually want).

No functional change for consumers. Image is just self-consistent now.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ci/frontend-builder/Dockerfile

@@ -67,6 +67,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 RUN corepack enable \
     && corepack prepare "pnpm@${PNPM_VERSION}" --activate
 
+# Make pnpm's global-install bin dir authoritative on PATH so `pnpm add -g`
+# installs land in a known location and their binaries resolve without
+# extra setup. (pnpm setup is interactive — this is the non-interactive
+# equivalent.)
+ENV PNPM_HOME=/root/.local/share/pnpm
+ENV PATH="${PNPM_HOME}:${PATH}"
+
 # ─────────────────────────────────────────────────────────────────────
 # buf CLI - single static binary, used for `buf lint` and `buf generate`
 # ─────────────────────────────────────────────────────────────────────
@@ -76,10 +83,10 @@ RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION
 
 # ─────────────────────────────────────────────────────────────────────
 # protoc-gen-es - TypeScript codegen plugin for buf 'local:' references.
-# Installed globally so it lands on PATH; buf v2 resolves
-# `local: protoc-gen-es` via PATH lookup.
+# Installed via pnpm into $PNPM_HOME so the binary lands on PATH; buf v2
+# resolves `local: protoc-gen-es` via PATH lookup.
 # ─────────────────────────────────────────────────────────────────────
-RUN npm install -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}"
+RUN pnpm add -g "@bufbuild/protoc-gen-es@${PROTOC_GEN_ES_VERSION}"
 
 # ─────────────────────────────────────────────────────────────────────
 # ORAS CLI - for uploading artifacts (test reports, audit logs) to Harbor
@@ -95,8 +102,13 @@ RUN curl -fsSL "https://github.com/oras-project/oras/releases/download/v${ORAS_V
 # and skips the ~170MB download. System libs are already installed at
 # the top of the file, so we use bare `playwright install chromium`
 # (no --with-deps).
+#
+# `pnpm dlx` is a one-shot — pnpm fetches the package into its store,
+# executes the install command, and cleans up. The browser binary
+# itself persists at PLAYWRIGHT_BROWSERS_PATH, which is the only piece
+# we actually need at runtime.
 # ─────────────────────────────────────────────────────────────────────
-RUN npx --yes "playwright@${PLAYWRIGHT_VERSION}" install chromium
+RUN pnpm dlx "playwright@${PLAYWRIGHT_VERSION}" install chromium
 
 WORKDIR /workspace