ci: pin GitHub Actions to SHA digests (fix zizmor unpinned-uses)

[lhoupert]

Pin GitHub Actions to SHA digests

Zizmor detected 12 unpinned-uses findings in .github/workflows/.

GitHub Actions referenced by tag (e.g. actions/checkout@v4) are vulnerable to tag mutation — a compromised or hijacked tag can introduce malicious code into CI runs. Pinning to a full commit SHA (e.g. actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4) eliminates this supply-chain risk.

This PR pins all workflow steps to their current SHA using pin-github-action, fixing 12 findings.

Recommended next steps

1. Enable Dependabot for github-actions to keep pinned SHAs up-to-date automatically (a companion PR will be opened for this repo).
2. Add zizmor-action for continuous workflow security scanning in CI.

References

• zizmor unpinned-uses audit
• pin-github-action

---

Generated by ds-security-scanning zizmor-cli-unpinned-uses

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.32%. Comparing base (43174a1) to head (e844455).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #68      +/-   ##
==========================================
- Coverage   98.47%   98.32%   -0.15%     
==========================================
  Files          21       21              
  Lines         981     1015      +34     
  Branches      130      134       +4     
==========================================
+ Hits          966      998      +32     
  Misses          7        7              
- Partials        8       10       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.