ci: pin actions workflow step hashes and use minimum permissions

[zimeg]

Summary

This PR uses the wonderful zizmor tool to audit our own workflows and pinact for pinned versioning 👾

Reviewers

A similar audit can be performed with the zizmor tool:

$ zizmor .
...
No findings to report. Good job! (4 suppressed)

The suppressed findings are expected permission blocks at the top-level of a workflow, but we set this for each job.

Testing

🔍 CI covers most cases, but on publish we might want to be aware of possible changes to these workflows.

Special notes

🎵 🎺 🦖

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've ran deno task test after making the changes.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (f7915fb) to head (1adddc4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #125   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           36        36           
  Lines         1133      1133           
  Branches        17        17           
=========================================
  Hits          1133      1133           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zimeg]

📝 A quick note on confused permissions with the checkout step...

[zimeg]

🤔 It's not so clear if permissions.checks:write somehow includes the contents:read scopes?

[zimeg]

📚 https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions

🤖 https://github.com/slackapi/deno-slack-api/actions/runs/15179844434/job/42686910983#step:1:16

GITHUB_TOKEN Permissions
  Checks: write
  Metadata: read

[zimeg]

🗣️ I was about to loose marbles but this was an expected finding: slackapi/slack-health-score#93

[WilliamBergamin]

Nice 💯

[zimeg]

@WilliamBergamin I appreciate the review along this confusion of what permissions are supposed to do. As the ultimate test of CI I will merge this PR now.