chore(ci): pin GitHub Actions to specific SHAs (#7816)

Follow-up on #7076

SHAs were generated using
[pinact](https://github.com/suzuki-shunsuke/pinact).

By the way, all repository workflows don’t declare permissions, so they
use the defaults, which are usually [too
permissive](https://docs.zizmor.sh/audits/#excessive-permissions), I’d
suggest using per-workflow/job permissions instead, since most (if not
all) jobs don’t need full access. If that’s added, it should go in a
separate issue/PR so we can review the minimum needed per job.

Refs:

https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

You can check everything with this SARIF file:


[ghostty-sarif.json](https://github.com/user-attachments/files/21081630/ghostty-sarif.json)
read it at https://microsoft.github.io/sarif-web-component/

0 files changed, 0 insertions, 0 deletions