ci: pin third-party GitHub Actions to commit SHAs

[satyakwok]

Round-2 audit fix. Pins all unpinned third-party action uses: to current commit SHAs (immutable). Tag annotations preserved as trailing comments for future bumps.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow dependencies to use pinned versions for improved stability and security.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This pull request updates two GitHub Actions workflows to pin external action references to specific commit SHAs instead of using floating version tags. The .github/workflows/ci.yml file pins the foundry-rs/foundry-toolchain action from @v1 to a specific commit, while .github/workflows/codeql.yml pins both the github/codeql-action/init and github/codeql-action/analyze actions from @v4 to their respective commit SHAs. No workflow logic or configuration parameters are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provided is incomplete against the required template, missing the Test plan section and Related links section.	Add a Test plan section with a checklist of testing scenarios and a Related section linking to any related issues or audit documentation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: pinning third-party GitHub Actions to commit SHAs instead of version tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/pin-actions-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[satyakwok]

Retracting — the SHAs in main are real (verified e.g. codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 = v4.6.0 release commit). My earlier comment was based on a stale CI log from an earlier iteration of this branch, before the SHAs were corrected. Main CI is green. Sorry for the noise.