ci: pin third-party workflow actions

[cesarenaldi]

Summary

• pin third-party GitHub Actions to full commit SHAs to resolve CodeQL actions/unpinned-tag alerts
• keep comments with the original tag/channel for maintainability

Alerts addressed

• chore(main): release polymarket-sdk 0.2.0 #1 integration setup-uv
• feat: complete gamma API (paginated + non-paginated audit) #3 publish setup-uv
• refactor: split client context into base + secure shape #4 PyPI publish action
• feat: add clob foundation #5 release-please action
• feat: add clob read endpoints #6 verify setup-uv static checks
• feat: clob auth and signing foundation #7 verify setup-uv tests

Verification

• make lint
• make format-check
• make typecheck
• actionlint -ignore 'label "arc-runner-set-euw1" is unknown'

Note: the ignored actionlint warning is for the existing custom self-hosted runner label used by the integration workflow.

---

Note

Low Risk
Low risk: workflow-only changes that pin existing third-party actions to immutable commit SHAs, reducing supply-chain risk without altering build/test logic.

Overview
Pins third-party GitHub Actions used in CI/CD workflows to full commit SHAs (keeping the original tag/channel in comments) to address unpinned-action alerts.

This updates setup-uv across integration and verify workflows, pins gh-action-pypi-publish in the publish workflow, and pins release-please-action in the release workflow, with no functional changes expected beyond using the exact referenced action revisions.

^{Reviewed by Cursor Bugbot for commit 119ca2a. Bugbot is set up for automated code reviews on this repo. Configure here.}