ci: pin third-party GitHub Actions to commit SHAs

[satyakwok]

Round-2 audit fix. Pins all unpinned third-party action uses: to current commit SHAs (immutable). Tag annotations preserved as trailing comments for future bumps.

[coderabbitai]

Warning

Rate limit exceeded

@satyakwok has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 2 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 52490ebc-0c30-4017-b81c-cb2d7cf0a7aa

📥 Commits

Reviewing files that changed from the base of the PR and between 7b95d93 and 6242b6c.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/docker-publish.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-actions-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[satyakwok]

Retracting — the SHAs in main are real (verified e.g. codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 = v4.6.0 release commit). My earlier comment was based on a stale CI log from an earlier iteration of this branch, before the SHAs were corrected. Main CI is green. Sorry for the noise.