P0: Remove stale/dead lock entries + SHA-pin manual workflows

[microsasa]

Context

Follow-up from the security audit report posted in #92 (comment).

Scope update (2026-04-19): Original item #2 (bump gh-aw-actions/setup v0.68.3 → v0.68.7) has been split out to #1021 because it is blocked on an upstream gh-aw CLI release. This issue now covers items #1, #3, #4 only.

P0 Items

1. Remove stale github/gh-aw/actions/setup@v0.58.1 from actions-lock.json

Migration artifact — 44 releases behind, runs unsandboxed shell script with sudo. Should be removed entirely.

2. Update github/gh-aw-actions/setup from v0.68.3 → v0.68.7

Moved to #1021 — blocked on upstream CLI release.

3. Remove dead actions/github-script@v8 from actions-lock.json

Only v9 is used in compiled workflows. v8 is frozen — no further security patches.

4. SHA-pin all actions in manual .yml files

The following workflows use mutable tag references not covered by the lock file:

• ci.yml: actions/checkout@v6, astral-sh/setup-uv@v7
• codeql.yml: actions/checkout@v6, github/codeql-action/init@v4, github/codeql-action/analyze@v4
• copilot-setup-steps.yml: actions/checkout@v6, astral-sh/setup-uv@v7
• dependency-review.yml: actions/checkout@v6, actions/dependency-review-action@v4
• pipeline-orchestrator.yml: actions/checkout@v6

A compromised tag push to any of these gives an attacker code execution in CI with access to GH_AW_WRITE_TOKEN.

[microsasa]

Item #2 (bump gh-aw-actions/setup v0.68.3 → v0.68.7) split out to #1021 because it is blocked on an upstream gh-aw CLI release that compiles against v0.68.7+. This issue is now scoped to items #1, #3, #4 only — all addressed in PR #1016. Closing when that PR merges is now correct.