security: pin third-party GitHub Actions to commit SHAs + least-privilege permissions

[KedoKudo]

What

Supply-chain hardening of GitHub Actions workflows:

• SHA-pin all third-party actions to full 40-char commit SHAs, retaining a trailing # version comment so the intended release stays readable.
• Add a conservative top-level permissions: contents: read block to pure-CI workflows that had no top-level permissions and perform no privileged operations.

First-party actions/* and github/* are intentionally left tag-pinned per group convention.

Why

Supply-chain hardening per group convention (pin third-party Actions to SHA hashes where possible; least-privilege tokens). From the 2026-06-22 workspace GitHub Actions security audit.

Pins applied

Action	Pinned SHA	Comment
prefix-dev/setup-pixi (4x in test_and_deploy, 1x in update-lockfiles)	5185adfbffb4bd703da3010310260805d89ebb11	v0.9.6
codecov/codecov-action	fb8b3582c8e4def4969c97caa2f19720cb33a72f	v7
neutrons/conda-actions/pkg-install	bba9ca89d48d9ae846db9650cc63fde736340b3d	v2
neutrons/conda-actions/pkg-verify	bba9ca89d48d9ae846db9650cc63fde736340b3d	v2
neutrons/conda-actions/grype	bba9ca89d48d9ae846db9650cc63fde736340b3d	v2
neutrons/conda-actions/publish	bba9ca89d48d9ae846db9650cc63fde736340b3d	v2
neutrons/conda-actions/pkg-remove	bba9ca89d48d9ae846db9650cc63fde736340b3d	v2
pypa/gh-action-pypi-publish	cef221092ed1bacb1cc03d23a2d87d1d172e277b	v1.14.0
peter-evans/create-pull-request	5f6978faf089d4d20b00c7766989d076bb2fc7f1	v8

Permissions

• copilot-setup-steps.yml: added top-level permissions: contents: read (no privileged operations, no pre-existing top-level block).
• test_and_deploy.yaml: no top-level permissions change — it uses id-token: write (trusted PyPI publishing) and pypa/gh-action-pypi-publish; existing per-job permissions are preserved untouched.
• update-lockfiles.yml: no permissions change — already has a top-level permissions: block (contents: write, pull-requests: write) for peter-evans/create-pull-request.

Notes

• dtolnay/rust-toolchain and taiki-e/install-action do not appear in this repo, so their special-case handling did not apply.
• No behavior change intended; CI on this PR validates.

🤖 Assisted with Claude Code

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 2.29%. Comparing base (011e36c) to head (e12ef6d).

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #177   +/-   ##
=====================================
  Coverage   2.29%   2.29%           
=====================================
  Files          4       4           
  Lines        131     131           
=====================================
  Hits           3       3           
  Misses       128     128           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.