ci: pin non-GitHub-owned GitHub Actions

[marten-seemann]

Pin codecov/codecov-action to a specific commit SHA in CI workflow

Replaces the floating v7 tag with the pinned commit SHA fb8b3582 (v7.0.0) for both Codecov upload steps in unit.yml. This follows security best practices for third-party GitHub Actions by ensuring the action cannot be silently changed by an upstream tag move.

^{Macroscope summarized 1c50bd6.}

[Copilot]

Pull request overview

Pins the third-party Codecov GitHub Action in the unit-test workflow to a specific commit SHA, improving supply-chain security and making CI behavior deterministic.

Changes:

• Replaced codecov/codecov-action@v7 with a commit-pinned reference for v7.0.0 in the coverage upload step.
• Replaced codecov/codecov-action@v7 with the same commit-pinned reference for v7.0.0 in the test report upload step.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.90%. Comparing base (9bd4b3a) to head (1c50bd6).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #122   +/-   ##
=======================================
  Coverage   72.90%   72.90%           
=======================================
  Files           4        4           
  Lines         406      406           
=======================================
  Hits          296      296           
  Misses         70       70           
  Partials       40       40           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.