ci: pin GitHub Actions SHAs and harden repo settings alignment

[FunKite]

Summary

• pin all GitHub Actions workflow action references to full commit SHAs
• update CHANGELOG.md under [Unreleased] for workflow hardening and merged dependency updates
• align CI with repository Actions policy requiring SHA-pinned actions

Security

• reduces third-party action supply-chain risk by removing mutable tag references
• keeps workflows compatible with selected-actions plus SHA-pinning enforcement

Validation

• verified all workflow action references are pinned to 40-character SHAs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 16ad907dff

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep the MSRV toolchain explicit after SHA pinning

The msrv job used to request Rust 1.77.0 via dtolnay/rust-toolchain@1.77.0, but after switching to a commit SHA there is no with: toolchain: 1.77.0 input, so this step is no longer explicitly tied to the declared MSRV and can either install a different channel or fail depending on action default behavior. That means MSRV regressions may slip through CI (or CI may break) while the job still appears to be validating 1.77.

Useful? React with 👍 / 👎.