chore(ci): pin GitHub Actions to immutable commit SHAs

[Copilot]

Description

Pin all GitHub Actions uses: references in .github/workflows/*.yml from floating tags/branch refs to immutable full commit SHAs. This prevents unexpected changes if an action tag is moved, while keeping the original ref as an inline comment (e.g. # v6, # v10.0.2, # release/v1) so maintainers can easily see which version is pinned.

The existing dependabot.yml already configures the github-actions ecosystem with weekly updates, so Dependabot will continue detecting upstream changes and opening PRs to bump the pinned SHAs.

Resolves or fixes issue: #532

AI Tool Disclosure

• My contribution does not include any AI-generated content
• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: GitHub Copilot Coding Agent
  • LLMs and versions: Claude Sonnet 4.5
  • Prompts: Pin all GitHub Actions workflow uses: references to immutable commit SHAs while preserving Dependabot update behavior via inline tag comments.

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}