root - chore: defense - pin all GitHub Actions to full SHAs

[jaredwray]

Summary

Pin all third-party GitHub Actions to full commit SHAs (supply-chain / defense-in-depth hardening). No behavior change.

Why

Floating major tags (@v6, @v7, @v4) are mutable — if an action's repo were compromised, the tag could be moved to point at a malicious commit. Pinning to immutable commit SHAs (each with a # vX.Y.Z comment for readability) removes that risk.

Pins

• actions/checkout @v6 → df4cb1c0… # v6.0.3
• actions/setup-node @v6 → 48b55a01… # v6.4.0
• codecov/codecov-action @v7 → fb8b3582… # v7.0.0
• github/codeql-action/{init,autobuild,analyze} @v4 → 8aad20d1… # v4.36.2
• pnpm/action-setup — already SHA-pinned (v6.0.8), unchanged

Checks

• All four workflow YAML files parse (PyYAML)
• Every action reference is now a full commit SHA — no tag/branch refs remain
• SHAs resolved from each tag's dereferenced commit; version comments match

---

Generated by Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (ecb10eb) to head (cb849f9).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #139   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            8         8           
  Lines          492       492           
  Branches       105       101    -4     
=========================================
  Hits           492       492           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.