chore(ci): Pin workflow actions to hash

[daxpryce]

Build pipeline updates:

• Releasing on tag, but spurring release by tag only.
• Update actions to pinned hashes - dependabot can and will suggest updates for them, and this way we can avoid a vector for supply chain attacks.
• Added a trusted environment to publish to pypi from.
• Set up trusted build on pypi and revoked old publication tokens.
• Limit permissions at the top level and narrowly scope permissions to actions that need them.

[Copilot]

Pull request overview

This PR hardens and streamlines the release pipeline by switching publishing to tag-only releases, adopting pinned GitHub Actions SHAs to reduce supply-chain risk, and tightening GITHUB_TOKEN permissions.

Changes:

• Trigger publishing only on vX.Y.Z tags and validate tag/version consistency before building.
• Pin GitHub Actions to specific commit hashes and introduce workflow/job permission scoping.
• Publish documentation to GitHub Pages under a versioned directory and latest during tag releases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/publish.yml	Move publish trigger to semver tags, add tag/version validation, pin actions, and adjust docs publishing behavior/permissions.
.github/workflows/build.yml	Pin actions, adjust trigger behavior, and introduce top-level permissions scoping for the build workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.