Update dotcom-components workflow to use riff-raff action

[AnastasiiaBalenko]

What does this change?

There is a High vulnerability lodash vulnerable to Code Injection via _.template imports key names in development environment introduced by transitive dependency lodash 4.17.21 introduced via @guardian/node-riffraff-artifact 0.3.2

npm package @guardian/node-riffraff-artifact is deprecated and it is recommended to use guardian/actions-riff-raff. So this change aligns with current Guardian guidance and removes the affected dependency chain.
What changed:

• Replaced the manual riffraff deploy step in dotcom-components workflow with guardian/actions-riff-raff@v4.
• Removed explicit AWS credential configuration step from this job, since v4 of the action handles role assumption internally.
• Added pull-requests: write permission required by the action for PR commenting.
• Removed the riffraff npm script from package.json
• Removed @guardian/node-riffraff-artifact from package.json devDependencies.
• Regenerated pnpm-lock.yaml, removing the old transitive tree.

How has this change been tested?

Deployed to CODE env, verified that everything works as expected

How can we measure success?

Have we considered potential risks?

Images

Accessibility

• Tested with screen reader
• Navigable with keyboard
• Colour contrast passed
• The change doesn't use only colour to convey meaning

[github-actions]

Deploy build 6795 of support::dotcom-components to CODE

All deployment options

• Deploy build 6795 of support::dotcom-components to CODE
• Deploy parts of build 6795 to CODE by previewing it first
• What's on CODE right now?

---

From guardian/actions-riff-raff.

[tomrf1]

👍 looks good