Pin GitHub Actions to SHA for security

Update official GitHub Actions (actions/*, github/*) to use pinned
commit SHAs instead of version tags. This satisfies zizmor's
unpinned-action-reference security check.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/clang-addresssanitizer.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - name: Checkout
         # We use v1 due to https://github.com/actions/checkout/issues/334
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: true
           persist-credentials: false

.github/workflows/clang-analyzer.yml

@@ -21,7 +21,7 @@ jobs:
 
       - name: Checkout
         # We use v1 due to https://github.com/actions/checkout/issues/334
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: true
           persist-credentials: false

.github/workflows/lint.yml

@@ -19,7 +19,7 @@ jobs:
           php-version: 8.3
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -34,7 +34,7 @@ jobs:
 
       - name: Checkout
         # We use v1 due to https://github.com/actions/checkout/issues/334
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           submodules: true
           persist-credentials: false

.github/workflows/zizmor.yml

@@ -15,7 +15,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false