ci(sdd): cache and pin Spectral in contract-validate

Pins @stoplight/spectral-cli@6.16.0 and caches ~/.npm keyed on that version, so
Spectral is fetched once and reused across runs instead of re-downloaded each
time. A version bump busts the cache key deterministically.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/sdd-gate.yml

@@ -72,8 +72,19 @@ jobs:
         with:
           node-version: '24'
 
+      # Cache the npm/npx download so Spectral isn't re-fetched every run. The key is pinned to
+      # the exact Spectral version below, so a version bump busts the cache deterministically.
+      - name: Cache Spectral (npm cache)
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: spectral-cli-6.16.0
+          restore-keys: spectral-cli-
+
       - name: Lint changed OpenAPI contracts
         shell: bash
+        env:
+          SPECTRAL: "@stoplight/spectral-cli@6.16.0"   # pinned — keep in sync with the cache key above
         run: |
           set -uo pipefail
           base="origin/${{ github.event.pull_request.base.ref }}"
@@ -88,7 +99,7 @@ jobs:
           for f in $changed; do
             [ -f "$f" ] || continue
             echo "── spectral lint $f"
-            npx --yes @stoplight/spectral-cli@6 lint "$f" || rc=1
+            npx --yes "$SPECTRAL" lint "$f" || rc=1
           done
           exit $rc