ci: harden GitHub Actions workflows

Pin workflow actions to commit SHAs, set explicit permissions and timeouts, update Ubuntu runners, and include the generated action bundle.

Co-Authored-By: Codex <noreply@openai.com>

.github/workflows/test-action.yml

@@ -6,15 +6,28 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
     strategy:
       matrix:
         hugo-version: ['latest', '0.160.1']
         extended: [true, false]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'npm'
+
+      - run: npm ci
+
+      - run: npm run build
 
       - name: Setup Hugo
         uses: ./