fix: run spell-check with pinned cspell version

[scode2277]

Spell-check workflow used npx cspell, which fetched the latest cspell from npm at runtime instead of the version pinned in package.json/pnpm-lock.yaml.

• Added pnpm/action-setup + actions/setup-node (Node 22) and a pnpm install step, then switched to pnpm exec cspell.
• Updated the justfile lint to use pnpm exec cspell so local runs match CI.

Frameworks PR Checklist

Thank you for contributing to the Security Frameworks! Before you open a PR, make sure to read information for contributors and take a look at the following checklist:

• Describe your changes, substitute this text with the information
• If you are touching an existing piece of content, tag current contributors from the attribution list
• If there is a steward for that framework, ask the steward to review it
• If you're modifying the general outline, make sure to update it in the vocs.config.ts adding the dev: true parameter
• If you need feedback for your content from the wider community, share the PR in our Discord
• Review changes to ensure there are no typos; see instructions below.

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: medium Provider: openrouter

Approved. Clean fix that eliminates an uncontrolled npx fetch in CI.

Security:

• Pinned action SHAs verified against version tags (pnpm/action-setup@0e279bb = v6.0.8, actions/setup-node@48b55a0 = v6.4.0)
• pnpm exec cspell resolves from lockfile, not npm registry -- eliminates supply-chain drift
• Permissions unchanged and correctly scoped

QA:

• Justfile updated to match CI -- pnpm exec cspell consistent
• Node 22 matches preview-build.yml
• One discrepancy: PR description says pnpm install --frozen-lockfile but the actual workflow step uses pnpm install without the flag. Other workflows in the repo (preview-build.yml, s3-upload.yml) use --frozen-lockfile. Recommend adding it for consistency and to enforce lockfile integrity in CI. Not blocking.