ci: pin action SHAs, add permissions, and add Python 3.14 to matrix (#6)

Address review nits from #5:
- Pin actions/checkout and astral-sh/setup-uv to commit SHAs (consistent
  with publish.yml, eliminates mutable-tag supply-chain risk)
- Add top-level permissions: contents: read (least privilege, matches
  publish.yml)
- Add Python 3.14 to test matrix (matches pyproject.toml classifiers)

Co-authored-by: Eddie A Tejeda <669988+eddietejeda@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: eddietejeda

.github/workflows/ci.yml

@@ -10,20 +10,23 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
         with:
           enable-cache: true