ci: pin GitHub Actions to exact commit SHAs in security workflow

[matiasinsaurralde]

What

• Pin all GitHub Actions in security.yml to immutable commit SHAs instead of mutable version tags
• Affected actions: actions/checkout, actions/setup-go and golvulncheck
• Original version tags preserved as inline comments for readability

Why

Security improvements, follow up of #689 and #751

How

Replace each uses: action@vN reference with uses: action@<full-sha> # vX.Y.Z, preserving the version in a trailing comment for readability

Checklist

• Tests added/updated
• make test passes locally
• make lint passes locally
• Commit messages follow conventional commits
• All commits are signed off (git commit -s) per DCO
• [ ] Documentation updated (if user-facing change)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Defilan]

Approving: CI green, low-risk. Merging as part of dependency/CI cleanup.