ci: Add persist-credentials: false and pin actions/checkout to a hash in workflow templates

[coderabbitai]

Summary

The .github/workflows/ YAML files generated from the templates in this repository have two security-related findings flagged by zizmor in linux-system-roles/ssh#239.

These findings apply to the template source used to generate the workflow files, so fixes should be made here.

---

Finding 1 — Credential persistence (artipacked)

Severity: Warning
Rule: artipacked

The actions/checkout step does not set persist-credentials: false. This means GitHub credentials (the GITHUB_TOKEN) are written to the local git config and remain available to all subsequent steps and any action invoked after checkout, which is a wider-than-necessary credential scope.

Suggested fix:

- name: Checkout code
  uses: actions/checkout@<hash>
  with:
    persist-credentials: false

---

Finding 2 — Unpinned action reference (unpinned-uses)

Severity: Error
Rule: unpinned-uses

actions/checkout@v6 is referenced by a mutable tag rather than an immutable commit hash. A compromised or altered tag could introduce unexpected code into CI.

Suggested fix: Pin to the full commit SHA of the desired release, e.g.:

uses: actions/checkout@<full-sha>  # v6

---

References

• PR where this was flagged: ci: Use generalized action to test against different distributions ssh#239 (comment)
• Raised by: @richm