ci: enforce least-privilege permissions and update workflows (#188)

* ci: add permissions: {} to CI workflow with job-level contents: read

* ci: enforce least-privilege permissions in security workflow

* ci: enforce least-privilege permissions in commitlint workflow

* ci: enforce least-privilege permissions in pr-lint workflow and update actions

* ci: enforce least-privilege permissions in stale workflow and update actions

* ci: enforce least-privilege permissions in sync-labels workflow and update actions

* ci: enforce least-privilege permissions in release workflow and update actions

* chore(actions): update ivuorinen/actions/codeql-analysis (v2026.03.06 → v2026.03.09)

* chore(deps): update testdata composite action dependencies

.github/workflows/release.yml

@@ -6,8 +6,7 @@ on:
     tags:
       - "v*.*.*"
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   release:
@@ -33,18 +32,18 @@ jobs:
           node-version: "24"
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
         with:
           cosign-release: "v2.4.0"
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}