ci: pin Docker actions to SHA and bump setup-bazel per ASF allowlist

[hubcio]

Pin all Docker actions to SHA-pinned versions per ASF allowlist policy
and restore docker/setup-buildx-action (reverts shell workaround from
ba8e865). Bump bazel-contrib/setup-bazel from v0.15.0 to v0.18.0
before ASF allowlist expiry on 2026-03-31.

Allowlist PR: apache/infrastructure-actions#547

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.87%. Comparing base (f0e8578) to head (e5c30a2).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #2999      +/-   ##
============================================
+ Coverage     71.81%   71.87%   +0.06%     
  Complexity      930      930              
============================================
  Files          1116     1117       +1     
  Lines         92616    92952     +336     
  Branches      70139    70485     +346     
============================================
+ Hits          66512    66810     +298     
- Misses        23543    23573      +30     
- Partials       2561     2569       +8     

Flag	Coverage Δ
csharp	67.43% <ø> (-0.21%)	⬇️
go	36.38% <ø> (ø)
java	62.08% <ø> (ø)
node	91.37% <ø> (-0.15%)	⬇️
python	81.43% <ø> (ø)
rust	72.60% <ø> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.