Secure GitHub actions

- Pin all actions to a commit
- Use `persist-credentials: false` for checkout
- Limit workflow/action permissions to the minimum. checkout requires `contents: read` and the rest should not require anything.

PiperOrigin-RevId: 937942002

Author: frigus02

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: build ${{ matrix.binding }}
@@ -15,14 +18,17 @@ jobs:
         binding: [pixel_bridge, deflate, saphyr, serde_json, zip]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Set up Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
         with:
           # NOTE: b/514328084 - Crubit generates some code that causes unused-imports warnings. By
           # default rustflags is "-D warnings" causing the build to fail.
           rustflags: ""
+
       - name: Install Protobuf
         if: matrix.binding == 'serde_json'
         run: sudo apt-get update && sudo apt-get install -y libprotobuf-dev protobuf-compiler