SEC-178: pin GitHub Action refs to full SHAs (#5)

Pins actions/checkout@v6 and actions/setup-python@v6 in ci.yml and
publish.yml to the full commit SHAs of the v6 tags as of 2026-04-21.

Required before the org-wide sha_pinning_required policy
(rootlyhq/terraform-rootly#891) lands; otherwise this repo's CI
would fail validation at the "Set up job" step on first run after
apply.

SHAs:
  actions/checkout@v6        -> de0fac2e4500dabe0009e67214ff5f5447ce83dd
  actions/setup-python@v6    -> a309ff8b426b58ec0e2a45f0f869d46889d02405

Linear: SEC-178 (follow-up to SEC-89).

Author: youngjk

.github/workflows/ci.yml

@@ -10,10 +10,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'
 
@@ -35,10 +35,10 @@ jobs:
       matrix:
         python-version: ['3.10', '3.11', '3.12']
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 

.github/workflows/publish.yml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: '3.12'