chore(ci): pin GitHub Actions to immutable SHAs while preserving tag tracking

[Copilot]

Description

Pin all GitHub Actions uses: references in CI/release workflows to immutable commit SHAs while retaining the original tag/ref in inline comments so Dependabot can continue detecting upstream changes and proposing update pull requests.

Resolves or fixes issue: #960

AI Tool Disclosure

• My contribution does not include any AI-generated content
• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: GitHub Copilot (coding agent)
  • LLMs and versions: Claude Sonnet 4.5
  • Prompts: Pin GitHub Actions workflow step references to exact commit SHAs while keeping tag annotations in comments for Dependabot compatibility

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage · +0.00% coverage variation

Metric	Results
Coverage variation	✅ +0.00% coverage variation
Diff coverage	✅ ∅ diff coverage (80.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (204dfdd)	5950	5603	94.17%
Head commit (82d2af9)	5950 (+0)	5603 (+0)	94.17% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#961)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{TIP This summary will be updated as you push new changes. Give us feedback}