Secure GitHub Actions workflows — full SHA pinning for `uses:`, safe `pull_request` handling, least-privilege permissions, Dependabot updates, and shell-injection-safe `run:` steps