Apply CI security best practices

[woodruffw]

Hi there! uv is a downstream user of this crate, and as a result we have an interest in ensuring your CI/CD is as secure, hermetic, and reproducible as possible 🙂

To that end, this PR has a series of commits (each of which can be reviewed separately) that will hopefully improve your default posture. These changes were made based on findings from zizmor.

To summarize:

1. All actions references are now hash-pinned, to prevent unexpected tag mutation. Dependabot will handle updating these hash-pins for you.
2. Dependabot itself now enforces a seven-day cooldown, to reduce the risk of quickly adopting a compromised dependency.
3. I've minimized all permissions and credential persistence risks in all workflows. This should be reviewed carefully, since it's hard to predict ahead-of-time whether some permissions were being used implicitly.
4. I've eliminated all flagged template injection risks. Most of these are not exploitable in practice, but intermediating expressions with shell variables ${FOO} instead of ${{ foo }} is a best practice anyways.

After all of that, the only remaining default finding is this:

info[use-trusted-publishing]: prefer trusted publishing for authentication
  --> ./.github/workflows/release.yml:40:14
   |
40 |       - run: cargo publish --workspace
   |         ---  ^^^^^^^^^^^^^^^^^^^^^^^^^ this command
   |         |
   |         this step
   |
   = note: audit confidence → High

To fix that one, one of the maintainers will need to set up Trusted Publishing and remove your current manual crates.io token. I strongly recommend doing this as a way to reduce your credential exposure risk 🙂

Finally, I've done all this without adding a workflow that will proactively catch new CI/CD issues. However, if you're interested in that, I'd be happy to add one.

Signed-off-by: William Woodruff william@astral.sh

[woodruffw]

Gentle ping for review!

[Xuanwo]

Thank you for working on this!