chore: pin GitHub Actions to verified commit SHAs

[bhimrazy]

What does this PR do?

Pins GitHub Actions to verified commit SHAs for supply chain security.

Follows the same pattern as pytorch-lightning#21735.

Note: .github/workflows/release-pypi.yml was dropped from this PR to avoid merge conflicts. The release workflow changes are being handled separately in #709.

Pinned references

Action	Release	Commit SHA
actions/checkout	v6.0.2	de0fac2e4500dabe0009e67214ff5f5447ce83dd
astral-sh/setup-uv	v7.6.0	37802adc94f370d6bfd71619e3f0bf239e1f3b78
codecov/codecov-action	v6.0.1	e79a6962e0d4c0c17b229090214935d2e33f8354
Lightning-AI/utilities	v0.15.3	86fe1b20b4609835ba9e8c8739cd39707ba76868

[bhimrazy]

requires #690

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85%. Comparing base (aaed44c) to head (d6d3b05).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@         Coverage Diff         @@
##           main   #689   +/-   ##
===================================
  Coverage    85%    85%           
===================================
  Files        39     39           
  Lines      3282   3282           
===================================
  Hits       2778   2778           
  Misses      504    504           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bhimrazy]

Dropped the .github/workflows/release-pypi.yml changes from this PR to avoid merge conflicts. That workflow update is being handled separately in #709.