chore: pin GitHub Actions to commit SHAs (#79)

## Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. `actions/checkout@v4`) use a
mutable pointer — the tag owner can move it to a different commit at any
time, including a malicious one. This is the attack vector used in the
tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable.
The `# tag` comment preserves human readability so reviewers can tell
which version is pinned.

Important: a SHA can also originate from a forked repository. A
malicious actor can fork an action, push a compromised commit to the
fork, and the SHA will resolve — but it won't exist in the upstream
canonical repo. Each SHA in this PR was verified against the action's
canonical repository (not a fork).

### Changes

- `actions/checkout@v5` ->
`actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1`
  - Version: v5.0.1 | Latest: v6.0.2 | Release age: 89d
- Commit:
actions/checkout@93cb6ef

- `jdx/mise-action@v3` ->
`jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3`
  - Version: v3.6.3 | Latest: v4.0.1 | Release age: 17d
- Commit:
jdx/mise-action@5228313

- `actions/setup-node@v6` ->
`actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0`
  - Version: v6.3.0 | Latest: v6.3.0 | Release age: 36d
- Commit:
actions/setup-node@53b8394


### Files modified

- `.github/workflows/ci.yml`
- `.github/workflows/publish.yml`

Author: slawomirbabicz

.github/workflows/ci.yml

@@ -9,8 +9,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: jdx/mise-action@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
       - name: Install OS dependencies
         run: |
           sudo apt-get update
@@ -21,16 +21,16 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: jdx/mise-action@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
       - run: pnpm install
       - run: pnpm prettier --check .
 
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: jdx/mise-action@v3
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
       - name: Install wasm32 target
         run: rustup target add wasm32-unknown-unknown
       - name: Install OS dependencies

.github/workflows/publish.yml

@@ -25,8 +25,8 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
@@ -55,8 +55,8 @@ jobs:
       id-token: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"