chore: pin GitHub Actions to commit hashes (#284)
Summary

Pin all GitHub Actions to full commit SHA hashes across all workflows
(tests.yml, wheels.yml, publish_fgpyo.yml, readthedocs.yml)
Update previously-pinned actions to their latest versions
(e.g. checkout v5 → v6, setup-uv v6 → v8, codecov v5 → v6)

This follows GitHub’s security best practice of pinning third-party
actions to
immutable commit SHAs rather than mutable version tags.
Note on readthedocs
The readthedocs/actions/preview action used in readthedocs.yml is
deprecated. From the repository
README:

This action is deprecated and it shouldn’t be used. This feature
was
included in the Read the Docs application itself.

I’ve pinned it to the latest commit on main for now, but it should be
replaced
with the built-in Read the Docs PR build integration described here:
https://docs.readthedocs.com/platform/stable/visual-diff.html#show-build-overview-in-pull-requests
I’ve opened #283 for that — happy to tackle it in a follow-up if you’d
like.
Test plan

 Verify CI passes on this PR (tests, wheels, publish dry-run)
 Confirm action versions resolve correctly from pinned SHAs

🤖 Generated with Claude Code