Hash-pin some actions, eliminate some credentials

[woodruffw]

This burns down some findings from zizmor. The main ones are actions that aren't hash-pinned (I've fixed these with pinact run -v) and credential persistence by default in actions/checkout. There's one place (template.yml) where the persisted credential was actually being used, so I've done persist-credential: true there.

Apart from that, I've removed one (probably not exploitable) template injection. There are about 41 other remaining zizmor issues, but a good chunk of those are superfluous-actions (which should get suppressed on the next release per zizmorcore/zizmor#1817). I haven't added a zizmor workflow with this PR, but would be happy to either here or in a follow-up if desired.

(N.B. a lot of the actions that are left unpinned are left because they require a maintenance decision, e.g. replacing uses: taiki-e/install-action@cargo-hack with uses: taiki-e/install-action@hash.... and tool: cargo-hack@v1.2.3. If that's fine by you, I can do those in a follow-up too.)

[woodruffw]

Oops, realized I forgot to put my motivation in the top comment: I'm opening these kinds of PRs across a few repos hosting crates that uv and other Astral tools depend on, as part of our goal to ratchet down sources of mutability/supply chain risk in our downstream. But if you find this disruptive, I'd be happy to close this.

[epage]

I have a central template (https://github.com/epage/_rust) thati s a merge base for all of my repos. I recently adopted zizmor there (which is why I've been opening issues and PRs) and have been working out some kinks before mass updating all of my repos.

I would prefer to adopt this change in the template update.

[woodruffw]

Oh whoops, that explains a lot. I can move these proposed changes over there.

[epage]

Sure, any further improvements would be appreciated.