ci: harden trusted publish workflow

[JoviDeCroock]

Summary

• Explicitly disables setup-node package-manager auto-caching in the trusted publishing workflow.
• Removes existing publish-workflow dependency cache usage where present.
• Pins external GitHub Actions in the trusted publish workflow to full commit SHAs, keeping the original tag as a comment breadcrumb.

Why

Trusted publishing/OIDC workflows should not restore shared dependency caches, and tag-based action references can be retargeted after compromise. The StepSecurity advisory for actions-cool/issues-helper is the concrete failure mode: tags were moved to an imposter commit, while full-SHA pinned workflows were unaffected.

Verification

• Parsed the edited workflow YAML locally with PyYAML.
• Re-scanned release workflows for actions/setup-node without package-manager-cache: false and for actions/cache usage.
• Re-scanned trusted publish workflow uses: entries and confirmed all external actions are pinned to 40-character commit SHAs.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 89b7087

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR