ci: pin all GitHub Actions to full-length commit SHAs

[SvenPistre]

PR content

This PR pins every third-party GitHub Action used across the workflows to a full-length commit SHA, with a trailing # <version> comment for readability and Dependabot compatibility. No behavioural change — each SHA corresponds to the release already in use.

It also updates .github/dependabot.yml so SHA-pinned actions stay current and adds a cooldown period of 7 days.
Previously all patch-level updates for github-actions were ignored but with SHA pinning this is actually counterproductive.
Security fixes will frequently ship as a patch release. To reduce update noise, one can group all GitHub Action updates together in one PR once a week.

This resolves #361 (the repo settings can only be edited by maintainers)

How the SHAs can be verified

Each pin maps a SHA to a published release tag. To verify, open the release link and confirm GitHub shows the same commit SHA the comment claims; the # vX.Y.Z comment must match the linked release.

Action	Pinned version	Commit SHA	Verify (release / tag)
actions/checkout	v4.3.1	34e114876b0b11c390a56381ad16ebd13914f8d5	https://github.com/actions/checkout/releases/tag/v4.3.1
actions/checkout	v6.0.3	9f698171ed81b15d1823a05fc7211befd50c8ae0	https://github.com/actions/checkout/releases/tag/v6.0.3
actions/upload-artifact	v6.0.0	b7c566a772e6b6bfb58ed0dc250532a479d7789f	https://github.com/actions/upload-artifact/releases/tag/v6.0.0
actions/download-artifact	v7.0.0	37930b1c2abaa49bbe596cd826c3c89aef350131	https://github.com/actions/download-artifact/releases/tag/v7.0.0
docker/setup-buildx-action	v3.12.0	8d2750c68a42422c14e847fe6c8ac0403b4cbd6f	https://github.com/docker/setup-buildx-action/releases/tag/v3.12.0
docker/login-action	v3.7.0	c94ce9fb468520275223c153574b00df6fe4bcc9	https://github.com/docker/login-action/releases/tag/v3.7.0
docker/setup-qemu-action	v3.7.0	c7c53464625b32c7a7e944ae62b3e17d2b600130	https://github.com/docker/setup-qemu-action/releases/tag/v3.7.0
dtolnay/rust-toolchain	v1 (stable)	e97e2d8cc328f1b50210efc529dca0028893a2d9	dtolnay/rust-toolchain@e97e2d8
taiki-e/install-action	v2.81.8	0631aa6515c7d545823c67cfae7ef4fc7f490154	https://github.com/taiki-e/install-action/releases/tag/v2.81.8
rustsec/audit-check	v2.0.0	69366f33c96575abad1ee0dba8212993eecbe998	https://github.com/rustsec/audit-check/releases/tag/v2.0.0
release-plz/action	v0.5.129	4a08fbe6cb1bb0e4d066058e6efcf50f352db236	https://github.com/release-plz/action/releases/tag/v0.5.129

Note on dtolnay/rust-toolchain: this action publishes a rolling stable reference rather than per-release tags, so the pin targets the commit directly (# v1 reflects the major rolling tag). The SHA should be confirmed reachable from the action's default branch.