Hash pin GitHub Actions

[hugovk]

Yet another compromise via unpinned GitHub Actions: https://socket.dev/blog/bitwarden-cli-compromised

Let's hash-pin GHA.

Done via uvx gha-update.

We can add Renovate or Dependabot later to update these once a month or so, but that can wait for #636 when we get admin access to enable those.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.14%. Comparing base (564619d) to head (74282ac).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #640   +/-   ##
=======================================
  Coverage   93.14%   93.14%           
=======================================
  Files          29       29           
  Lines        3226     3226           
=======================================
  Hits         3005     3005           
  Misses        221      221           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hugovk]

Yet another, this time via template injection:

https://www.stepsecurity.io/blog/elementary-data-compromised-on-pypi-and-ghcr-forged-release-pushed-via-github-actions-script-injection