chore: pin third-party GitHub Actions to commit SHAs

[mahangu]

Pins third-party GitHub Actions in this repo to immutable commit SHAs.

This is a draft PR for review before merging. It was prepared with agent assistance and manually verified.

Tracking: DEVPROD-1072

Repo-level summary:

• Pinned distinct third-party action refs in this PR: 5
• Repo-level unpinned usage count from the trunk recheck: 7
• Dependabot GitHub Actions coverage: created (.github/dependabot.yml)

Known label limitations:

• ChristophWurst/xmllint-action keeps # v1 because v1 is the exact tag being pinned; newer v1.x tags point to different commits.
• ramsey/composer-install keeps # v1 because v1 is a branch at this commit; specific 1.x tags point to different commits.

Verification commands:

# ChristophWurst/xmllint-action # v1 -> d18a551aab4728e4af449617638600634d7a48cb
gh api repos/ChristophWurst/xmllint-action/commits/v1 --jq '.sha'
# expected: d18a551aab4728e4af449617638600634d7a48cb

# korelstar/phplint-problem-matcher # v1.2.0 -> cb2b753750ec7bf13a7cde0a476df8c5605bdfb1
gh api repos/korelstar/phplint-problem-matcher/commits/v1.2.0 --jq '.sha'
# expected: cb2b753750ec7bf13a7cde0a476df8c5605bdfb1

# korelstar/xmllint-problem-matcher # v1.2.0 -> 1bd292d642ddf3d369d02aaa8b262834d61198c0
gh api repos/korelstar/xmllint-problem-matcher/commits/v1.2.0 --jq '.sha'
# expected: 1bd292d642ddf3d369d02aaa8b262834d61198c0

# ramsey/composer-install # v1 -> 994bb194a4fefcf39449ccf0f7766a4318f1ac76
gh api repos/ramsey/composer-install/commits/v1 --jq '.sha'
# expected: 994bb194a4fefcf39449ccf0f7766a4318f1ac76

# shivammathur/setup-php # 2.37.1 -> 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc
gh api repos/shivammathur/setup-php/commits/2.37.1 --jq '.sha'
# expected: 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc