fix(ci): pin publish workflow actions in secret-bearing jobs

[chaliy]

Motivation

• Close a supply-chain vulnerability where mutable GitHub Action refs ran in publish jobs that later receive CARGO_REGISTRY_TOKEN, allowing a compromised action to tamper with the runner and exfiltrate the token.
• Harden the publish workflow without changing the existing publish flow or behavior.

Description

• Pinned actions/checkout to a full commit SHA in both publish-fetchkit and publish-fetchkit-cli jobs to remove mutable tag/branch risk.
• Replaced dtolnay/rust-toolchain@stable with explicit rustup install and rustup default stable steps to avoid executing an unpinned third-party action before secrets are available.
• Kept the existing cargo publish steps and job ordering intact so publish behavior is unchanged.

Testing

• Verified the updated .github/workflows/publish.yml contents and line-by-line output with sed/nl to confirm the intended changes were applied.
• Committed the change locally with git commit to ensure the repository accepts the modified workflow file.
• Could not run CI or workspace Rust tests in this environment due to missing remote access, so recommend running cargo test --workspace and letting CI validate the workflow and secrets handling before merging.

---

Codex Task

[chaliy]

Fix-up pushed. Codex's pin 692973e3d937129bcbf40652eb9f2f61becf3332 is actually actions/checkout v4.1.7 (June 2024 release) — the workflow used @v6 before, so this would have silently downgraded the action by two majors. Verified via the GitHub API.

Replaced both occurrences with the actual v6 SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd and added a # v6 trailing comment per convention. Rest of the change (replacing dtolnay/rust-toolchain@stable with explicit rustup install on the pre-installed toolchain) is good.

---

Generated by Claude Code