fix: update actions to latest versions and suppress false positive zizmor finding

Update actions/checkout to v6.0.2 and actions/setup-node to v4.4.0
with pinned SHAs. Suppress false positive cache-poisoning finding for
setup-node in publish.yml (caching is not enabled without explicit
cache: config).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: reberhardt7

.github/workflows/publish.yml

@@ -25,10 +25,10 @@ jobs:
           else
             echo "dryRun=false" >> $GITHUB_OUTPUT;
           fi
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - run: npm ci
       - name: Publish to Open VSX Registry
         if: success() || failure()

.github/zizmor.yml

@@ -1,3 +1,6 @@
 rules:
   secrets-outside-env:
     disable: true
+  cache-poisoning:
+    ignore:
+      - publish.yml