chore(deps): pin dependencies

Author: renovate[bot]

.github/workflows/ci.yml

@@ -22,7 +22,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout ${{ github.repository }}
-        uses: actions/[email protected]
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Install uv
@@ -34,7 +34,7 @@ jobs:
       - name: Install pre-commit
         run: |
           uv sync --locked --only-dev
-      - uses: mschoettle/[email protected]
+      - uses: mschoettle/pre-commit-action@0ffaba63d7e205c4109d6a3ca4ced5fc4decd04b # v4.2.3
         env:
           SKIP: markdownlint-cli2
       - name: Run markdownlint
@@ -66,7 +66,7 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
           lfs: true
@@ -75,25 +75,25 @@ jobs:
           fetch-depth: 0
 
       - name: Login to GitHub Container Registry
-        uses: docker/[email protected]
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         if: github.event_name != 'pull_request'
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/[email protected]
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Validate build configuration
-        uses: docker/[email protected]
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           call: check
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/[email protected]
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       - name: Build Docker image
-        uses: docker/[email protected]
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           # use path context to make .git available in build
           # https://github.com/docker/build-push-action?tab=readme-ov-file#git-context
@@ -111,7 +111,7 @@ jobs:
           TAGS: ${{ steps.meta.outputs.tags }}
         run: docker run --rm "${TAGS}" --version
       - name: Push Docker image
-        uses: docker/[email protected]
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           # use path context to make .git available in build
           # https://github.com/docker/build-push-action?tab=readme-ov-file#git-context