ci: pin sbom/cosign/attest actions to node20-safe versions

forgejo-runner v6.4.0 ships node20; floating tags @v0/@v3/@v2 now
resolve to actions whose runs.using=node24, which the runner cannot
exec. Pin to last node20-shipping release of each:

- anchore/sbom-action@v0.17.2
- sigstore/cosign-installer@v3.7.0
- actions/attest-build-provenance@v2.2.3

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.github/workflows/build-iso.yml

@@ -210,7 +210,8 @@ jobs:
 
       - name: Install cosign
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: sigstore/cosign-installer@v3
+        # Pinned to last v3 release confirmed node20.
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Sign ISO parts (keyless)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
@@ -224,7 +225,8 @@ jobs:
 
       - name: Generate SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0.17 release that ships node20.
+        uses: anchore/sbom-action@v0.17.2
         with:
           path: build/out
           format: spdx-json
@@ -232,7 +234,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2.2 release that ships node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-path: 'build/out/*.iso.part-*'