ci: pin GitHub Actions to full commit SHAs

[mprpic]

Pull Request Description

What

Pins all third-party GitHub Actions to their full commit SHAs instead of mutable tags to prevent supply chain attacks via tag manipulation. The original tag/branch is preserved as an inline comment for readability.

Dependabot is already configured to propose update to these actions any time a new version is released.

See also #1008.

Why

https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request pins external GitHub Actions to specific commit SHAs across three CI/CD workflow files. The .github/workflows/check.yaml file pins actions/checkout and actions/setup-python to fixed commits; .github/workflows/python-publish.yaml pins three actions (checkout, setup-python, and gh-action-pypi-publish); and .github/workflows/test.yaml pins five actions (checkout, setup-python, actions-rs/toolchain, upload-artifact, and download-artifact). All workflow logic, conditions, parameters, and commands remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Actions to full commit SHAs across multiple workflow files.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the security rationale for pinning GitHub Actions to commit SHAs and referencing relevant documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/check.yaml:
- Around line 14-19: The workflow currently relies on default token permissions;
update each job to declare explicit minimal read-only permissions by adding a
permissions block (e.g., permissions: contents: read, id-token: write only if
needed) to every job that uses the actions referenced (look for the steps with
uses: actions/checkout@de0fac2e... and uses: actions/setup-python@a309ff8b...),
and repeat the same change for the other jobs highlighted (around the other
occurrences). Ensure you set only the required scopes (typically contents: read
and any specific additional scopes) and remove reliance on implicit default
permissions.

In @.github/workflows/test.yaml:
- Around line 28-31: Add explicit least-privilege permissions blocks to each
GitHub Actions job (e.g., the unit, e2e, and coverage jobs) so they no longer
inherit repository defaults; update the workflow (.github/workflows/test.yaml)
by inserting a permissions mapping under each job definition (unit, e2e,
coverage and any other jobs around the same area) that declares only the
required scopes (for example read-only for contents, packages, checks, and no
write tokens unless explicitly needed) to lock down access even if repo defaults
change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b4952ed9-c9b5-4440-a23d-a4033d086889

📥 Commits

Reviewing files that changed from the base of the PR and between 2cf0e7d and 940b112.

📒 Files selected for processing (3)

• .github/workflows/check.yaml
• .github/workflows/python-publish.yaml
• .github/workflows/test.yaml