chore(security): cooldown, deterministic installs, harden labeler workflow

- dependabot.yml: add cooldown (default-days: 3) to all entries; replace
  github-actions groups with single actions:patterns:['*'] group
- build.yml: replace npm install -g markdownlint-cli with npm ci + npx markdownlint;
  add root package.json + package-lock.json
- requirements.txt: hash-pinned (uv pip compile --generate-hashes) for
  ghastoolkit + yq
- coverage.yml, publish.yml, release.yml, version.yml: pip install -r
  requirements.txt --require-hashes
- labeler.yml: remove actions/checkout step (actions/labeler@v6 does not need it)

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

Author: Copilot

.github/dependabot.yml

@@ -17,11 +17,11 @@ updates:
       prefix-development: chore
     labels:
       - "Dependencies"
+    cooldown:
+      default-days: 3
     groups:
-      production-dependencies:
-        dependency-type: "production"
-      development-dependencies:
-        dependency-type: "development"
+      actions:
+        patterns: ["*"]
 
   - package-ecosystem: "cargo"
     directory: "/"
@@ -35,6 +35,8 @@ updates:
       prefix-development: chore
     labels:
       - "Dependencies"
+    cooldown:
+      default-days: 3
     groups:
       production-dependencies:
         dependency-type: "production"

.github/workflows/build.yml

@@ -162,5 +162,5 @@ jobs:
       - name: "Lint Markdown"
         if: steps.changes.outputs.src == 'true'
         run: |
-          npm install -g markdownlint-cli
-          markdownlint '**.md' --ignore node_modules --disable MD013
+          npm ci
+          npx markdownlint '**.md' --ignore node_modules --disable MD013

.github/workflows/coverage.yml

@@ -18,7 +18,7 @@ jobs:
       - name: "Run Coverage Report"
         if: github.ref == 'refs/heads/main'
         run: |
-          pip install ghastoolkit
+          pip install -r requirements.txt --require-hashes
           ./scripts/create-coverage.py report --markdown > $GITHUB_STEP_SUMMARY
 
       - name: "Upload Coverage Report"

.github/workflows/labeler.yml

@@ -17,7 +17,6 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/checkout@v6
     - uses: actions/labeler@v6
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/publish.yml

@@ -25,7 +25,7 @@ jobs:
         run: |
           set -e
 
-          pip install yq
+          pip install -r requirements.txt --require-hashes
           current_version=$(cat .release.yml | yq -r ".version")
 
           released_version=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/:owner/:repo/releases/latest | jq -r ".tag_name")

.github/workflows/release.yml

@@ -37,7 +37,7 @@ jobs:
         id: get_version
         run: |
           set -e
-          pip install yq
+          pip install -r requirements.txt --require-hashes
           echo "version=$(cat .release.yml | yq -r ".version")" >> "$GITHUB_ENV"
           echo "release=true" >> "$GITHUB_ENV"
 

.github/workflows/version.yml

@@ -29,7 +29,7 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          pip install ghastoolkit
+          pip install -r requirements.txt --require-hashes
           python ./.github/scripts/codeql.py version \
             --bump "${{ github.event.inputs.bump }}"