fix(ci): pin npm to 11.12.1 via packageManager field

Renovate's hosted runner uses npm 10 by default, which raises EOVERRIDE
when re-resolving the workspace tree against the dompurify override
(`^3.4.0`) and other caret-range overrides. The lockfile regen step
then aborts and Renovate ships package.json updates with a stale
package-lock.json, breaking every npm-based CI job on the resulting PR.

npm 11.5+ handles the same overrides scenario without erroring. Adding
`packageManager: npm@11.12.1` is the standard Corepack-honored signal
to pick a specific npm; Renovate respects it, and it also pins local
dev and any non-explicit CI step onto the same npm so all three stay
aligned.

Closes #2415. Sequenced after #2414 (CI Node 24 / npm 11).

Author: rocketstack-matt

package.json

@@ -2,6 +2,7 @@
     "name": "@finos/calm-workspace",
     "version": "0.0.0",
     "private": true,
+    "packageManager": "npm@11.12.1",
     "engines": {
         "node": "^22.14.0 || >=24.10.0"
     },