ci: pin zizmor workflow to commit SHAs of annotated tags

The previous SHAs for astral-sh/setup-uv@v6 and
github/codeql-action@v3 were the annotated tag-object SHAs rather
than the underlying commit SHAs. GitHub Actions accepts both, but
zizmor's impostor-commit fast path resolves SHAs against the action
repo's tag list and falls back to a GitHub API call when the SHA
matches only a moving major-version tag, producing warnings.

Repinning to the dereferenced commit SHAs (which also correspond
to immutable point-release tags) lets zizmor verify them locally
and silences the warnings.

Author: claude

.github/workflows/zizmor.yml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup uv
-        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
 
       - name: Run zizmor
         run: uvx zizmor --format=sarif . > results.sarif
@@ -36,7 +36,7 @@ jobs:
 
       - name: Upload SARIF file
         if: always()
-        uses: github/codeql-action/upload-sarif@52485aec7be33610227643b0fe83936b8b5f061a # v3
+        uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4
         with:
           sarif_file: results.sarif
           category: zizmor