Pin every third-party action in .github/workflows/ to a full commit SHA
with a trailing version comment, and bump to the latest stable release.
Defends against tag-rewrite supply-chain attacks while keeping versions
legible.
Download dependencies so they are available in coding agents. Otherwise, the coding agents are unable to access pkg.pr.new and pkg.vc domains so the package install fails.