chore: harden GitHub Actions (P-2208) (#80)

- docs-ci.yml: added permissions: contents: read; SHA-pinned actions/checkout and actions/setup-node; persist-credentials: false on checkout

Refs P-2208.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: keiloktql

.github/workflows/docs-ci.yml

@@ -17,12 +17,16 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: 20