chore: more cleanup and hardening

[gebhardtr]

Description

Cleanup and security hardening:

• Pinned and hardened GitHub workflow actions/permissions.
• Fixed OCI API denylist parsing and matching.
• Restricted Object Storage uploads to safe local roots.
• Validated Resource Search inputs and resource types.
• Redacted Identity auth-token secret output.
• Marked OCI-returned text as untrusted in model outputs.
• Blocked unsafe Pricing pagination URLs.
• Hardened Dockerfiles with pinned images/checksums/non-root users.
• Added regression tests for the updated behavior.

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Test A
• Test B

Test Configuration:

• Firmware version:
• Hardware:
• Toolchain:
• SDK:

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules