ci: pin GitHub Actions to full-length commit SHAs

[babarot]

WHAT

Pin every third-party GitHub Actions reference in .github/workflows/*.yaml to a full-length commit SHA, with the human-readable tag retained as a trailing comment. Actions are also bumped to their latest stable versions in the process.

WHY

The repository's organization policy now requires all actions to be pinned to a full-length commit SHA. Workflows on the current main use floating tag references (@v4, @v5, etc.), so every job fails at Set up job with:

The actions actions/checkout@v4, actions/setup-go@v5, and golangci/golangci-lint-action@v7
are not allowed in babarot/gomi because all actions must be pinned to a full-length commit SHA.

This blocks CI on every PR (e.g. #127). Pinning to SHAs also mitigates supply chain risk: a compromised maintainer or tag re-point cannot silently change what runs in our pipelines.

HOW

Run PINACT_MIN_AGE=7 pinact run -u to update each action to the latest release that is at least 7 days old (the cooldown mitigates a freshly published malicious version) and rewrite the reference to <owner>/<action>@<sha> # <version>.

Affected workflows: build.yaml, label-sync.yaml, pages.yaml, pr-labeler.yaml, release.yaml.

Notable version bumps included alongside the SHA pinning:

• actions/checkout v4 → v6.0.2
• actions/setup-go v5 → v6.4.0
• golangci/golangci-lint-action v7 → v9.2.1
• actions/setup-python v5 → v6.2.0
• actions/upload-pages-artifact v3 → v5.0.0
• actions/deploy-pages v4 → v5.0.0
• actions/labeler v5 → v6.1.0
• goreleaser/goreleaser-action v6 → v7.2.2
• Songmu/tagpr v1.5.0 → v1.19.0
• EndBug/label-sync v2 → v2.3.3
• Schneegans/dynamic-badges-action v1.7.0 → v1.8.0
• k1LoW/octocov-action v1.5.0 → v1.5.1

Validation is delegated to CI on this PR: the build/lint/release jobs need to come back green to confirm the major bumps (notably golangci-lint-action v7 → v9) do not require workflow changes.