chore: set permission levels and pin commits for actions

[abelaba]

Summary

This PR replaces GitHub action tags with pinned commit SHAs, and sets the permissions levels to read at the top level for workflows.

Why

• Tags are unsafe because they could possibly point to compromised versions of a code and pinning commit SHAs is safer because it is immutable.
• Setting the permission level to allow only allow read access to workflows, so if dependencies get compromised they don't have additional access.

Steps Taken

1. Used zizmor for analyzing the workflows.
2. Used pinact for pinning commit SHAs.
3. Added the code below to the checkout actions, so the repository token is not passed to additional steps.
   with: persist-credentials: false
4. Added the code below at the workflow level.
   permissions: contents: read

Note

.github/workflows/build-and-release.yaml is created using maturin so if the workflow gets updated using maturin, you just use pinact again to add the commit SHAs.

Similar approaches were adopted in optimagic and sbi.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
core-tests	72.79% <ø> (-0.28%)	⬇️
test-r-core	51.23% <ø> (-0.19%)	⬇️
test-r-extended	18.90% <ø> (+0.32%)	⬆️
test-r-fixest	40.49% <ø> (+0.32%)	⬆️
tests-extended	?

Flags with carried forward coverage won't be shown. Click here to find out more.
see 29 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.