chore: update Github Actions and switch to SHA pinning over tags

[jtroup]

what

Updated GitHub Actions workflows and dependencies:

• Upgraded actions/checkout from v5 to v6.0.0
• Upgraded astral-sh/setup-uv from v6 to v7.1.4
• Upgraded pypa/gh-action-pypi-publish from v1 to v1.13.0
• Migrated from extractions/setup-just@v3 to extractions/setup-crate@v1.4.0 with explicit just configuration
• All actions now pin to specific commit hashes with version comments for improved security and reproducibility
• Changed tool version environment variable naming from TOOL_VERSION_* prefix to *_TOOL_VERSION postfix (e.g., TOOL_VERSION_PYTHON → PYTHON_TOOL_VERSION)
• Enhanced Dependabot configuration with monthly updates, 7-day cooldown, grouped updates, and "chore" commit prefix

Updated pre-commit hooks and tooling:

• Upgraded ruff-pre-commit from v0.14.2 to v0.14.7
• Upgraded pyproject-fmt from v2.11.0 to v2.11.1
• Upgraded uv-pre-commit from 0.9.5 to 0.9.13
• Added actionlint v1.7.9 hook for validating GitHub Actions workflow files

why

• Security: Pinning actions to commit hashes prevents supply chain attacks and ensures reproducible builds
• Stability: Reducing Dependabot frequency from weekly to monthly and adding cooldown reduces update noise
• Maintainability: Grouping all GitHub Actions updates into single PRs makes them easier to review
• Consistency: Using postfix naming convention for tool versions aligns with common shell variable patterns
• Compatibility: Newer action versions provide better support for Python 3.14 and modern tooling
• Code Quality: Updated pre-commit hooks provide latest linting and formatting rules; actionlint addition catches workflow syntax errors before CI runs

testing

just lint and landing this PR.

docs

N/A

---

🤖 Generated with Claude Code

[jtroup]

The CI / lint failure is per-existing and fixed in #43