ci: pin actions to commit SHAs and restrict default permissions

Address Greptile review findings:
- Pin checkout, setup-uv, and download-artifact to commit SHAs
  matching the pattern from #517
- Add top-level permissions: {} to restrict default token scope

Author: andreatgretel

.github/workflows/publish-devnotes.yml

@@ -7,6 +7,8 @@ on:
       - "docs/devnotes/**"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build-notebooks:
     uses: ./.github/workflows/build-notebooks.yml
@@ -21,17 +23,17 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           version: "0.9.5"
       - name: Set up Python
         run: uv python install 3.11
       - name: Install dependencies for docs
         run: uv sync --all-packages --group docs
       - name: Download notebooks
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: notebooks
           path: docs/notebooks