Pin actions, reduce permissions and third-party actions

[sethmlarson]

Hello! I'm auditing PyPA GitHub Action release workflows using Zizmor. Here's the changes I recommend :) Let me know if you'd prefer I break these out into separate PRs.

• Adopt GitHub's recommended pattern for enabling auto-merge on Dependabot. This avoids using pull_request_target which has caused multiple injections of malware already. This assumes that auto-merge already gates on CI/branch protections?
• Pin all actions to SHAs, Dependabot should update these. Should we implement a strategy in this PR?
• Reduce default permissions. I am hoping that contents: read is enough since separate permissions are set for when GitHub Releases are created or PyPI uploads occur.
• Remove usage of a third-party action in favor of gh release create.

I'll be around when the next release happens, so if stuff breaks I can help pick up the pieces. I understand release workflows are difficult to test :(

[cjames23]

Something in the changes for build distributions has broken, my guess is it is the switch from inputs.version to the env_var for the uv install.