fix: pin 2 unpinned action(s)

[dagecko]

This is a re-submission of #968, which was closed due to a branch issue on my end. Same fixes, apologies for the noise.

Security: Harden GitHub Actions workflows

Hey, I found some CI/CD security issues in this repo's GitHub Actions workflows. These are the same vulnerability classes that were exploited in the tj-actions/changed-files supply chain attack. I've been reviewing repos that are affected and submitting fixes where I can.

This PR applies mechanical fixes and flags anything else that needs a manual look. Happy to answer any questions.

Fixes applied

Rule	Severity	File	Description
RGS-007	high	.github/workflows/label.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/markdownlint.yml	Pinned 1 third-party action(s) to commit SHA

Additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks or reference unpinned third-party actions are vulnerable to code injection and supply chain attacks. These are the same vulnerability classes exploited in the tj-actions/changed-files incident which compromised CI secrets across thousands of repositories.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• SHA pinning: Pins third-party actions to immutable commit SHAs (original version tag preserved as comment)

---

If this PR is not welcome, just close it and I won't send another.

[afurm]

Pinning to exact SHA is a security best practice. However: (1) Verify the markdownlint commit hash is the correct v19 release and not a later one; (2) The # master/# v19 inline comments are redundant with the hash and should be removed or clarified; (3) Consider pinning ubuntu-latest to ubuntu-22.04 or ubuntu-24.04 explicitly for better reproducibility.