ci(rust-test): SHA-pin rui314/setup-mold (CodeRabbit zizmor unpinned-uses)

Replace 'uses: rui314/setup-mold@v1' with the resolved commit SHA
9c9c13bf4c3f1adef0cc596abc155580bcb04444 in both occurrences (test
job + test-with-coverage job).

CodeRabbit flagged line 144 only; the test job's existing pin at
line 59 carries the identical tag-retargeting risk for the same
action, so SHA-pin both for consistency. Other tag-pinned actions
in this workflow (actions/checkout, Swatinem/rust-cache,
taiki-e/install-action, codecov/codecov-action) are pre-existing
in main and out of scope for this PR.

https://claude.ai/code/session_01PBTGaPCSnnt6u3pjXpbLwY

Author: claude

.github/workflows/rust-test.yml

@@ -56,7 +56,7 @@ jobs:
         # Heavy lance+datafusion integration-test binaries OOM the default GNU `ld`
         # at the `cargo test --no-run` link step (intermittent). mold links them
         # fast + low-memory (already used by release.yml / rust-publish.yml).
-        uses: rui314/setup-mold@v1
+        uses: rui314/setup-mold@9c9c13bf4c3f1adef0cc596abc155580bcb04444 # v1
       - uses: Swatinem/rust-cache@v2
         with:
           shared-key: "lance-graph-deps"
@@ -141,7 +141,7 @@ jobs:
         # the OOM is MORE likely here than in the plain `test` job that already
         # has mold. Without this step the coverage job flaked while `test`
         # stayed green (2/50 runs). mold links them fast + low-memory.
-        uses: rui314/setup-mold@v1
+        uses: rui314/setup-mold@9c9c13bf4c3f1adef0cc596abc155580bcb04444 # v1
       - uses: Swatinem/rust-cache@v2
         with:
           shared-key: "lance-graph-deps"