CI: hardened GitHub Actions workflows (least privilege, pinned SHAs, OIDC)

[mwaldheim]

Goal

All GitHub Actions workflows must follow supply chain security best practices — checked by OpenSSF Scorecard 'Token-Permissions' and 'Dangerous-Workflow' checks.

Tasks

• Set permissions: read-all at top level of every workflow, grant only what's needed per job
• Pin all uses: action references to full commit SHAs (not tags)
• Use OIDC token for cloud auth (no long-lived secrets)
• No pull_request_target with untrusted code checkout
• Add GITHUB_TOKEN minimal scope annotations
• Validate third-party actions (use �ctionlint in CI)
• Add �ctionlint GitHub Action check

[mwaldheim]

Progress update (2026-05-23):\n\n- Added actionlint workflow in PR #104 (.github/workflows/actionlint.yaml).\n- Existing workflows already use permission blocks; further hardening/pinning tasks in this issue are still pending.\n\nStatus: keep open as tracking issue; partially addressed by PR #104.