fix(action): pin transitive actions to full SHAs

[zerone0x]

Pin the composite action's transitive uses: references to full commit SHAs so the action can run in repos that enforce GitHub's full-SHA Actions policy.

Fixes #513.

Changes

• pin google-github-actions/auth to the current v3 commit SHA
• pin actions/upload-artifact to the current v6 commit SHA
• keep ratchet metadata on both references so future bumps stay trackable

I also checked the current tag targets before updating the pins:

• auth@v3 → 7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
• upload-artifact@v6 → b7c566a772e6b6bfb58ed0dc250532a479d7789f

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.