Fix CI: revert chromium to 3.0.3, use npm overrides to enforce tmp@0.2.5

[Copilot]

The dependabot tmp bump upgraded chromium from 3.0.3 → 3.2171.3008 as a side effect. chromium@3.2171.3008 has a broken install.js that unconditionally runs install.bat on non-macOS (including Linux), causing CI to fail with ENOENT.

Changes

• Revert chromium to 3.0.3 — the version with a working Linux install script
• Add npm overrides for tmp@0.2.5 — forces the safe version throughout the full dependency tree, replacing the tmp@0.0.33 that chromium@3.0.3 previously pulled in; preserves the security intent of the original dependabot PR

"overrides": {
  "tmp": "0.2.5"
}

Result: package-lock.json now resolves a single tmp@0.2.5 with no nested 0.0.33.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.googleapis.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node install.js -m owner --uid-owner 0 -j ACCEPT (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)