Hash pin GitHub Actions

[hugovk]

Yet another compromise via unpinned GitHub Actions: https://socket.dev/blog/bitwarden-cli-compromised

Let's hash-pin GHA.

Done via uvx gha-update.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (0720138) to head (643172e).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #173   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            6         6           
  Lines          547       558   +11     
  Branches        74        43   -31     
=========================================
+ Hits           547       558   +11     

Flag	Coverage Δ
macOS-latest	100.00% <ø> (ø)
ubuntu-latest	100.00% <ø> (ø)
windows-latest	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hugovk]

Yet another, this time via template injection:

https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection

Will merge this, then open another to add https://github.com/zizmorcore/zizmor to pre-commit and fix its findings.