chore: pin github actions to sha and bump to latest

[abnegate]

Summary

Pin every third-party action in .github/workflows/ to a full commit SHA with a trailing version comment, and bump to the latest stable release. Defends against tag-rewrite supply-chain attacks while keeping versions legible.

Actions pinned (latest stable)

• actions/checkout -> v6.0.2
• actions/cache -> v5.0.5
• actions/upload-artifact -> v7.0.1
• actions/stale -> v10.2.0
• oven-sh/setup-bun -> v2.2.0
• docker/setup-qemu-action -> v4.0.0
• docker/setup-buildx-action -> v4.0.0
• docker/login-action -> v4.1.0
• docker/metadata-action -> v6.0.0
• docker/build-push-action -> v7.1.0

Test plan

• CI checks (tests, e2e) pass
• All workflow YAML still parses

[greptile-apps]

Greptile Summary

This PR hardens the CI/CD supply chain by replacing mutable version tags with full commit SHA pins across all six workflow files, and simultaneously bumps every third-party action to its current stable release.

• All actions/* and oven-sh/setup-bun references are updated to their latest SHA-pinned releases (checkout v6.0.2, cache v5.0.5, upload-artifact v7.0.1, stale v10.2.0, setup-bun v2.2.0).
• All Docker actions (setup-qemu, setup-buildx, login-action, metadata-action, build-push-action) are pinned to their latest stable SHAs; spot-checked SHA prefixes match the published GitHub release pages.

Confidence Score: 5/5

Pure maintenance change with no functional impact — safe to merge.

All six workflow files receive identical, mechanical substitutions: mutable version tags are replaced with full-length commit SHAs and trailing version comments. No workflow logic, inputs, secrets handling, or step ordering is changed. Spot-checked SHAs for actions/checkout (de0fac2), actions/upload-artifact (043fb46), and docker/build-push-action v7.1.0 all match their respective GitHub release pages.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/copilot-setup-steps.yml	Pins actions/checkout to v6.0.2 SHA and oven-sh/setup-bun to v2.2.0 SHA; no logic changes.
.github/workflows/dockerize-profiles.yml	All Docker and checkout actions bumped and SHA-pinned; no functional changes to build steps.
.github/workflows/e2e.yml	Pins checkout, setup-bun, cache, and upload-artifact to their latest SHA-locked versions; no workflow logic changed.
.github/workflows/publish.yml	Four parallel publish jobs all updated with identical SHA-pinned action versions; no behavioural changes to build/push logic.
.github/workflows/stale.yml	Bumps actions/stale from v9 to v10.2.0 with SHA pin; configuration parameters unchanged.
.github/workflows/tests.yml	Pins actions/checkout and oven-sh/setup-bun to latest SHA-locked versions; no test logic modified.

_{Reviews (1): Last reviewed commit: "chore: pin github actions to sha and bum..." | Re-trigger Greptile}