ci: pin action versions to immutable commit SHAs (CodeRabbit on PR #14)

Replace @v4 / @v5 tag refs with the matching commit SHAs on
actions/checkout and actions/setup-python. Tags are mutable — a
compromised maintainer can repoint them, silently swapping the code
that runs in our CI runner. SHAs are immutable and remove that
class of supply-chain risk.

Verified each SHA against the live tag on github.com:

  gh api repos/actions/checkout/git/ref/tags/v4 \
    --jq '.object.sha'  # 34e114876b0b11c390a56381ad16ebd13914f8d5
  gh api repos/actions/setup-python/git/ref/tags/v5 \
    --jq '.object.sha'  # a26af69be951a213d495a4c3e4e4022e16d87065

The trailing `# v4` / `# v5` comments preserve the major-version
intent so future bumps stay deliberate. The leading comment block
documents the bump procedure for the next person.

Author: timon0305

.github/workflows/tests.yml

@@ -11,10 +11,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to immutable commit SHAs (not @v4 / @v5) so a compromised tag
+      # cannot silently swap the underlying action code on this CI runner.
+      # When bumping, verify the new SHA via:
+      #   gh api repos/actions/<name>/git/ref/tags/<vN> --jq '.object.sha'
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: '3.12'