ci: pin all actions to verified SHAs and clear zizmor findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api),
add least-privilege permissions, set persist-credentials: false, and replace the
archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.

.github/workflows/linux.yml

@@ -14,28 +14,30 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build-linux:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y libdbus-1-dev libsmbclient-dev
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: nightly
           components: rustfmt, clippy
       - name: Format
         run: cargo +nightly fmt --all -- --check
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: stable
           components: rustfmt, clippy
       - name: Run tests
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --no-default-features --features github-actions --no-fail-fast
+        run: cargo test --no-default-features --features github-actions --no-fail-fast
       - name: Clippy
         run: cargo clippy -- -Dwarnings