follow-up: harden static-checks toolchain pinning and shell script alignment

[mrlunchbox777]

Context

Follow-up from PR review on #325: #325 (review)

Why

Phase C static checks are working, but we intentionally deferred a few non-blocking hardening tasks to keep PR #325 focused.

Follow-up scope

• Resolve basic-setup.sh interpreter mismatch by either:
  • making it POSIX-sh compatible, or
  • switching to a bash shebang and moving it under the bash-targeted lint path.
• Remove the temporary basic-setup.sh exclusion from .github/workflows/static-checks.yaml after the interpreter mismatch is fixed.
• Pin static-check tooling versions (shellcheck, shfmt) to reduce CI drift/noise (for example via pinned action/tool downloads or an explicitly versioned install path).
• Evaluate whether runner pinning (for example ubuntu-24.04) is needed for additional stability.

Acceptance criteria

• Static checks pass without temporary basic-setup.sh exclusion.
• Tool versions used in CI are explicit/reproducible.
• PR notes document chosen pinning strategy and rationale.