ci: modernize action pins and Go baseline

[intel352]

Summary

• pin CI, release, and IaC conformance workflows to audited action SHAs with version comments
• bump the module Go directive to 1.26.4
• use wfctl v0.74.6 for contract validation, with release install checksum verification

Verification

• actionlint .github/workflows/*.yml
• GOWORK=off go test ./...

[Copilot]

Pull request overview

Modernizes the repository’s CI/release workflow supply chain by pinning GitHub Actions to exact SHAs, updating the Go baseline, and standardizing wfctl usage (including checksum-verified installation for release validation).

Changes:

• Pinned multiple GitHub Actions in CI/release/IaC workflows to specific commit SHAs with version annotations.
• Updated the Go version baseline referenced by workflows via go-version-file.
• Updated wfctl usage to v0.74.6 and added a release-workflow install path with checksum verification.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
go.mod	Updates the module’s declared Go version baseline.
.github/workflows/release.yml	Pins actions, installs wfctl with checksum validation, and updates release/publish steps.
.github/workflows/ci.yml	Pins checkout/setup-go actions and bumps wfctl used for strict contract validation.
.github/workflows/iac-host-conformance.yml	Pins checkout/setup-go actions and disables Go caching for the job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.