chore: Harden publish and integration test workflows against supply chain attacks

[ava-silver]

Summary

• publish.yml: SHA-pin actions/checkout (was @v2), add --immutable to yarn install
• integration_tests.yml: SHA-pin actions/checkout and actions/setup-node

Context

Following the axios npm supply chain compromise, we are hardening all CI workflows. The publish workflow is especially critical since it has npm publish credentials — a bare yarn (without --immutable) could have resolved a compromised transitive dependency and published a tainted package.

Follows up on #677 and #678 which hardened the build workflow.

Test plan

• Publish workflow still succeeds on next release
• Integration tests pass

🤖 Generated with Claude Code

[ava-silver]

• chore: Harden publish and integration test workflows against supply chain attacks #680 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.69%. Comparing base (3fe894d) to head (253054f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #680   +/-   ##
=======================================
  Coverage   77.69%   77.69%           
=======================================
  Files          12       12           
  Lines        1112     1112           
  Branches      350      350           
=======================================
  Hits          864      864           
  Misses        118      118           
  Partials      130      130           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.