tag GHA versions to hashes in CI, address some security issues

[bckohan]

No description provided.

[Copilot]

Pull request overview

Pins GitHub Actions used across CI/release workflows to specific commit SHAs and adjusts CI/release plumbing to improve supply-chain security and workflow invocation behavior.

Changes:

• Replaced uses: ...@v* references with commit-SHA pinned action references across multiple workflows.
• Updated CI triggers and reusable-workflow wiring (added merge_group, required CODECOV_TOKEN for workflow_call, tightened release tag pattern).
• Updated Dependabot configuration (grouping and monthly cadence; switched Python ecosystem to uv).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/zizmor.yml	Pin action dependencies to commit SHAs for the zizmor scan workflow.
.github/workflows/test.yml	Add merge queue trigger + reusable-workflow secret requirement; pin actions; add optional “clear cache” step.
.github/workflows/scorecard.yml	Pin actions to commit SHAs for Scorecard workflow.
.github/workflows/release.yml	Tighten tag trigger pattern; stop inheriting secrets broadly; pin actions; tweak release scripting.
.github/workflows/lint.yml	Pin actions to commit SHAs for lint workflow.
.github/workflows/debug.yml	Pin actions to commit SHAs for debug workflow.
.github/dependabot.yml	Group updates and reduce cadence; configure Python updates via uv.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.