Harden workflows and Dockerfiles: sanitize-sed, pinned images, COPY, non-root

Workflows:
- ci-comprehensive-build-test.yml: resolve merge conflict with master,
  add sanitize-sed.sh sourcing to all 38 bash steps, remove pull-requests: read
- ci-docker-latest.yml: add sanitize-sed.sh sourcing to 4 test steps
- ci-docker-nixos.yml: add sanitize-sed.sh sourcing to 4 test steps

Dockerfiles:
- Dockerfile: pin ubuntu:26.04 to sha256 digest, replace git clone with COPY,
  remove git from builder deps
- Dockerfile.nixos: replace git clone with COPY, add non-root iccdev user (uid 1000)

Author: xsscx