pin workflow actions to secure commit SHAs 📌

[phinze]

Just some supply chain hygiene. Using immutable commit SHAs instead of mutable tags is generally the way to go for GitHub Actions, so I pinned everything across the test, release, and docs workflows.

I also bumped a few of the older actions to their latest versions and disabled credential persistence on the checkout steps to keep things locked down.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e59b9e01-58fb-4d20-8b0d-83dd3c96a86f

📥 Commits

Reviewing files that changed from the base of the PR and between ec85782 and 39334e3.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

This PR pins GitHub Actions and third-party actions to specific commit SHAs across three CI/CD workflow files. The docs workflow updates actions for checkout, Go setup, Bun setup, artifact uploads, and Slack notifications. The release workflow pins actions across seven jobs (init, package, build-binaries, build-and-push-docker, upload-to-miren, update-homebrew-tap, notify), including Docker and Google Cloud authentication actions. The test workflow pins actions across six jobs (lint, test-groups, test-runner, test-blackbox, test-blackbox-pop, build), with checkout steps now setting persist-credentials: false. Workflow logic, job structure, and command execution remain unchanged.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 624: The GitHub App token created by the actions/create-github-app-token
step is currently unscoped and inherits all installation permissions; restrict
it to least privilege because it’s only used to run the external workflow via gh
workflow run. Modify the step that uses
actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 to pass
permission inputs (e.g., permission-actions: write) so the generated token only
has the Actions write permission required to trigger mirendev/homebrew-tap's
update-cask.yml; ensure the token variable used by the gh workflow run
invocation is updated accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b9b6be0e-8478-4a0a-8c4c-1372af163526

📥 Commits

Reviewing files that changed from the base of the PR and between 10dd9b4 and ec85782.

📒 Files selected for processing (3)

• .github/workflows/docs.yml
• .github/workflows/release.yml
• .github/workflows/test.yml