chore(stepsecurity): update workflows to use custom hosted runners with built-in StepSecurity (#133)

## Summary
This PR updates GitHub Actions workflows to use custom hosted runners
that have StepSecurity built-in, removing the need for the explicit
StepSecurity harden-runner action.

## What Changed
- Removed step-security/harden-runner action steps (no longer needed as
StepSecurity is built into custom runners)
- Removed id-token: write permissions (no longer needed without the
StepSecurity action)
- Updated runs-on from ubuntu-latest to github-hosted-small (custom
runners with built-in StepSecurity)
- Converted non-circlefin action versions to commit SHAs with version
comments for security pinning (e.g., actions/checkout@abc123 # v3.6.0)
- circlefin GitHub actions remain unchanged

## Purpose
Our custom hosted runners (github-hosted-small) now have StepSecurity
built-in at the runner level, so we no longer need to add it as an
explicit step in each workflow. This simplifies our workflows while
maintaining the same security posture.

## Testing
- All workflow syntax changes have been validated
- No functional changes to workflow behavior
- StepSecurity protection is maintained via the custom runners
- Review the diff to ensure only intended changes occurred

Author: circle-ops-repo-updater

.github/workflows/commit-lint.yml

@@ -10,16 +10,8 @@ permissions:
 jobs:
   commit_lint:
     name: "Lint commit messages"
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
+    runs-on: github-hosted-small
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0

.github/workflows/npm-publish.yml

@@ -6,19 +6,12 @@ name: Publish to npm
 on: [workflow_dispatch, workflow_call]
 
 permissions:
-  id-token: write
   contents: read
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
@@ -28,16 +21,8 @@ jobs:
 
   publish-npm:
     needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
+    runs-on: github-hosted-small
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:

.github/workflows/pull_request_checks.yml

@@ -7,16 +7,8 @@ on:
 jobs:
   lint:
     name: "Lint, Build and Test"
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
+    runs-on: github-hosted-small
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - name: Installing dependencies