chore: pin GitHub Actions to SHA for supply chain security

[kimyouknow]

Summary

• Pin all third-party GitHub Actions to full commit SHAs instead of floating version tags (@v5, @v6, etc.) to prevent supply chain attacks
• Add dependabot.yml with grouped weekly updates to automatically keep SHAs current

Pinned Actions

Action	SHA	Version
actions/checkout	93cb6efe...	v5.0.1
actions/setup-node	6044e13b...	v6.2.0
changesets/action	6a0a831f...	v1.7.0
peter-evans/create-pull-request	22a90890...	v7.0.11
dorny/paths-filter	de90cc6f...	v3.0.2
codecov/codecov-action	671740ac...	v5.5.2
preactjs/compressed-size-action	8518045e...	v2.9.0

Dependabot

• Group all action updates into a single PR using groups config
• Automatically create update PRs on a weekly schedule

Next step

• Enable "Require actions to be pinned to a full-length commit SHA" in Settings → Actions → General to enforce SHA pinning on all future workflow changes

Test plan

• Verify integration workflow runs successfully
• Verify compressed-size workflow runs successfully

[github-actions]

Size Change: 0 B 🆕

Total Size: 0 B

_{compressed-size-action}

[zztnrudzz13]

what is this task for?

[kimyouknow]

This task pins all third-party GitHub Actions to full-length commit SHAs instead of mutable version tags (e.g., @.v5) to strengthen supply chain security.

Git tags are aliases that repo owners can reassign to a different commit at any time, which means malicious code could be injected and silently executed in CI. Commit SHAs are immutable, ensuring only the exact reviewed code runs.

Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions