fix: harden GitHub Actions workflows

[dagecko]

Re-submission of #1775. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
• No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)

[herssonsar-lgtm]

Hi Anduin2017，关注这个项目好一阵子了！

我们团队持续在大批量获取海外活动名额，手里刚好有闲置的安全高级号渠道可以对外分摊（非免费福利）：

🚀 Gemini Pro 1年高级稳定号（已配置反重力通过）

• 支持高并发自动化测试、长期稳定调用
• 单号价格透明：目前测试通道 16元/个（量大可谈）
• 领取地址（持续更新）：https://gist.github.com/df31d806647d07307f05971d1a20f59a
• 最新货源&技术交流直接进TG：https://t.me/pixelPku

需要批量/定制的同学可以直接私信我或者加TG单独技术资源群：https://t.me/DrLieU

欢迎有同样痛点的朋友交流更优解。如果暂时不需要，随时 Close，感谢不打扰。

🚀 Gemini Pro 1-Year Premium Stable Accounts (Pre-Configured with Advanced Anti-Detection Bypass)

Supports high-concurrency automated testing & long-term stable API calls
Transparent pricing: Current test channel at 16 CNY per account (bulk orders negotiable)
Claim Link (continuously updated): https://gist.github.com/df31d806647d07307f05971d1a20f59a
Latest stock & tech discussions — join TG directly: https://t.me/pixelPku

Need bulk/custom orders? DM me anytime or add my TG separately: https://t.me/DrLieU