chore: pin third-party GitHub Actions to commit SHAs

[mahangu]

Pins third-party GitHub Actions in this repo to immutable commit SHAs.

This is a draft PR for review before merging. It was prepared with agent assistance and manually verified.

Tracking: DEVPROD-1072

Repo-level summary:

• Pinned distinct third-party action refs in this PR: 2
• Repo-level unpinned usage count from the trunk recheck: 6
• Dependabot GitHub Actions coverage: created (.github/dependabot.yml)

Verification commands:

# codecov/codecov-action # v4.6.0 -> b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
gh api repos/codecov/codecov-action/commits/v4.6.0 --jq '.sha'
# expected: b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238

# shivammathur/setup-php # 2.37.1 -> 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc
gh api repos/shivammathur/setup-php/commits/2.37.1 --jq '.sha'
# expected: 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc

[github-actions]

👋 Thanks for your interest in contributing to Newspack!

Newspack development has moved to a single monorepo: Automattic/newspack-workspace. This repository is now a read-only mirror, so we're automatically closing new pull requests here.

Please reopen your change against the monorepo – newspack-scripts now lives at packages/scripts/ there. Thank you! 💙