ci: pin GitHub Actions to full-length commit SHAs

[maxandersen]

Pin all action references to full-length commit SHAs for supply chain security.

This is required for enabling the org-level policy:
Require actions to be pinned to a full-length commit SHA

Original version tags are preserved as comments for readability.
Consider adding Dependabot for GitHub Actions to keep pins updated:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

[coderabbitai]

Warning

Rate limit exceeded

@maxandersen has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 54 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: eaeb05dd-c349-4c07-abc6-6d3039df8adf

📥 Commits

Reviewing files that changed from the base of the PR and between 9eb2b1d and 239067d.

📒 Files selected for processing (2)

• .github/workflows/build.yaml
• .github/workflows/publish.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pin-actions-to-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}