[ci] harden GitHub Actions security posture

[komer3]

Summary

• move step-security/harden-runner ahead of checkout and other executable steps across the workflow set so outbound controls are active before third-party actions or checked-out code run
• pin external GitHub Actions to full SHAs, update them to current stable releases, and enable Renovate digest pinning so workflow execution is tied to reviewed commits instead of mutable tags
• tighten workflow permissions and egress allowlists where behavior is well understood, keep maintainer-approved fork PR test paths intact, and leave the highest-variance jobs in audit until observed traffic can be converted to minimal block allowlists

Why

• harden-runner only protects the job where it runs, so each job needs its own early placement to reduce the supply-chain window before network controls are active
• tag-based GitHub Action refs are mutable; digest pinning gives us a stable, reviewable execution target while still letting Renovate manage updates
• several jobs were carrying broader permissions or endpoints than they actually needed, and gh-pages had a container pull that occurred before the first hardened step

Notable Changes

• updated workflow ordering so Harden Runner runs before checkout/actions in the affected jobs
• added persist-credentials: false to checkout steps touched in this pass
• narrowed pr-labeler and release-drafter to GitHub API-only egress and reduced redundant permissions
• removed unused Codecov endpoints from pull_request_ci.yaml go-build
• removed the gh-pages job container and the now-unneeded apt-get lines so the docs job is covered by Harden Runner from its first meaningful step
• added .opencode/ to .gitignore
• enabled Renovate helpers for GitHub Action digest pinning

Audit Mode Workflows/Jobs

• .github/workflows/build-push.yml build-push
• .github/workflows/gh-pages.yml generate-docs
• .github/workflows/gh-pages.yml deploy-page
• .github/workflows/link-checker.yml markdown-link-check

Plan To Move Audit Jobs To Block

• build-push: use the existing workflow_dispatch path to capture Harden Runner telemetry from a trusted run, reduce the allowlist to observed endpoints, then switch the job to block
• gh-pages: trigger the workflow from a trusted docs or README.md change on main, collect the observed endpoints for docs build, Pages artifact upload, and deploy, then replace audit with minimal block allowlists per job
• link-checker: review whether block is worth the maintenance cost first; because it checks outbound links from repo docs, its host set is large and changes over time, so keeping it on audit may remain the better long-term trade-off unless we want to maintain an explicit host allowlist

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.15%. Comparing base (59420ee) to head (69d495c).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1071   +/-   ##
=======================================
  Coverage   69.15%   69.15%           
=======================================
  Files          71       71           
  Lines        6543     6543           
=======================================
  Hits         4525     4525           
  Misses       1724     1724           
  Partials      294      294           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.