fix(ci): pin GitHub Actions to commit SHAs

[RecreationalMath]

What does this PR do?

Pins all GitHub Actions and reusable-workflow references to immutable commit SHAs - as agreed with @justusschock in this comment on #3365.

This covers 41 references across 13 files (11 workflows + 2 composite actions). Each action is pinned to the commit its current tag resolves to, with the release version kept as a trailing comment (e.g. actions/checkout@de0fac2… # v6.0.2), the format Dependabot recognises, so it keeps the SHAs current going forward. No behaviour change as every pin points at the same commit the tag already ran.

A few notes for the reviewer:

• greetings.yml is intentionally excluded, it's pinned separately in fix(ci): align greetings workflow inputs with first-interaction@v3 #3365.
• The 3 commented-out uses: lines in publish-pkg.yml aren't pinned as they are inactive. Their tags were replaced with a @<COMMIT_SHA> placeholder plus a note that the repo now pins SHAs, recording the last tag in use.
• Open Dependabot PRs build(deps): bump docker/login-action from 3 to 4 #3369, build(deps): bump docker/build-push-action from 6 to 7 #3368, build(deps): bump astral-sh/setup-uv from 6 to 7 #3301 and build(deps): bump Lightning-AI/utilities/.github/workflows/check-md-links.yml from 0.15.2 to 0.15.3 #3370 bump some of these actions. As this PR pins them at their current versions, those will conflict on merge, but Dependabot auto-rebases tag bumps into SHA bumps once an action is SHA-pinned, so the upgrades aren't lost, only re-sequenced. (build(deps): bump actions/labeler from 5 to 6 #3281 seems to be stale as it bumps actions/labeler, which is already removed by ci: delete all pull_request_target workflows #3382)
• Incidental finding while doing this: the slash-command workflows (slash-cmd-dispatch, cmd-help, cmd-rebase) are currently non-functional. slash-cmd-dispatch fails on every run because the PAT_GHOST secret is empty, so /rebase and /help never dispatch. Will fill this as a separate issue Filed at Slash-command workflows are non-functional (Slash Command Dispatch fails on every run) #3393.

Before submitting

• (agreed in this comment on fix(ci): align greetings workflow inputs with first-interaction@v3 #3365) Was this discussed/agreed via a Github issue?
• Did you read the contributor guideline, Pull Request section?
• (Not required, CI-only config change) Did you make sure to update the docs?
• (Not required, CI-only config change) Did you write any new necessary tests?

PR review

Anyone in the community is free to review the PR once the tests have passed.
If we didn't discuss your PR in Github issues there's a high chance it will not be merged.

Did you have fun?

Oh yes, preventing a tj-actions/changed-files style supply chain attack sure is fun.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37%. Comparing base (d184220) to head (f08eed6).
⚠️ Report is 2 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@          Coverage Diff           @@
##           master   #3392   +/-   ##
======================================
  Coverage      37%     37%           
======================================
  Files         349     349           
  Lines       19901   19901           
======================================
  Hits         7264    7264           
  Misses      12637   12637           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.