Pinned all 7 third-party actions from mutable version tags to immutable
commit SHAs. Mutable tags (e.g. @v4) can be force-pushed by the action
author (or a compromised account) to inject malicious code into the workflow,
which runs with write access to the repo and GHCR registry.
Also moved 'permissions' from workflow level to job level (best practice:
scope permissions as narrowly as possible).
Pin mapping:
actions/checkout@v4 -> @11bd71901bbe... (v4.2.2)
softprops/action-gh-release@v2 -> @c062e08bd532... (v2.2.1)
docker/setup-qemu-action@v3 -> @49b3bc8e6bdd... (v3.2.0)
docker/setup-buildx-action@v3 -> @c47758b77c97... (v3.7.1)
docker/login-action@v3 -> @9780b0c442fb... (v3.3.0)
docker/metadata-action@v5 -> @369eb591f429... (v5.6.1)
docker/build-push-action@v6 -> @ca877d9245fe... (v6.10.0)
4a3b9571f1