Harden CI

[maennchen]

What’s changed

• Actions pinned to commit SHAs – Every third-party Action reference now points to an immutable Git commit instead of a moving tag.
• Least-privilege permissions – The workflow’s top-level token is limited to contents:read; individual jobs elevate only to the scopes they actually need (e.g., contents:write).
• Dependabot – Update GitHub Actions; weekly grouped update.

Why it matters

Pinning Actions guards against supply-chain attacks and unexpected upstream changes, giving us deterministic, auditable builds. Restricting the default token to read-only follows GitHub’s least-privilege guidance, reducing the blast radius if a job is ever compromised while still allowing specific jobs to perform their required tasks.

How did I implement this?

I used this tool to generate the changes: https://app.stepsecurity.io/secure-workflow

ScoreCard

This change should bring the Token-Permissions and Pinned-Dependencies checks to 10.

Follow up to #2089

Contributor checklist

• Bug fixes include regression tests
• Chores
• Documentation changes
• Features include unit/acceptance tests
• Refactoring
• Update dependencies

[zachdaniel]

🚀 Thank you for your contribution! 🚀