AlgoScan

skip-checks: true

## Summary

This PR makes a few related CI/CD changes:

1. **Hardens the CI workflows** by pinning all third-party GitHub
Actions to immutable commit SHAs and bumping them to their latest
versions.
2. **Fixes versioned DevPortal docs publishing** so a
`devportal-docs.tar.gz` asset is attached to each `vX.Y.Z` release, not
only to the rolling `docs-latest` pre-release.
3. **Keeps the DevPortal docs current** by refreshing the rolling
`docs-latest` build on every push to `main`.
4. **Retires the `alpha` prerelease channel**, so releases come only
from `main` (beta) and `workflow_dispatch` (production).

## Changes

### CI security hardening

- Pin all third-party actions to full commit SHAs (with `# vX` comments)
instead of mutable tags in `build-python.yaml`, `cd.yaml`,
`check-docs.yaml`, `check-python.yaml`, `gh-pages.yaml`, and
`verify-examples.yaml`. `publish-devportal-docs.yml` was already
SHA-pinned. First-party refs stay as-is per policy:
`algorandfoundation/algokit-shared-config` reusable actions remain on
`@main`, and the DevPortal action remains on `@release/ak-v4`.
- Version bumps (all pinned to the corresponding SHA):
`actions/checkout` v4 to v6, `actions/upload-artifact` v4 to v7,
`actions/setup-python` v5 to v6, `actions/create-github-app-token` v2 to
v3, `actions/upload-pages-artifact` and `actions/deploy-pages` v4 to v5,
`astral-sh/setup-uv` v5 to v8, and `MishaKav/pytest-coverage-comment`
v1.2.0 to v1.7.2. `python-semantic-release` is already on the latest
(v10.5.3) and is SHA-pinned only.
- Move `pypa/gh-action-pypi-publish` from the rolling `release/v1`
branch to a pinned `v1.14.0` SHA. Updates now come via Dependabot or
manual bumps.
- Workflow `permissions` are intentionally left unchanged, to avoid
altering the working release pipeline.

### DevPortal docs publishing

- `publish-devportal-docs.yml`: drop the temporary
`ci/add-publish-to-devportal-workflow` push trigger in favor of `push:
branches: [main]`, and point the publish action at `release/ak-v4`. This
refreshes the rolling `docs-latest` pre-release on every merge to
`main`. Tag pushes (`v*`) continue to attach `devportal-docs.tar.gz` to
the corresponding version release.
- `pyproject.toml`: change the python-semantic-release `commit_message`
from `[skip ci]` to `skip-checks: true`. `[skip ci]` on the release bump
commit was suppressing the tag-push run of `publish-devportal-docs.yml`,
so the versioned `devportal-docs.tar.gz` was never attached. Tag pushes
now trigger the workflow and attach the tarball.

### Release channel cleanup

- Retire the `alpha` prerelease channel. In `cd.yaml`: remove `alpha`
from the push branches, drop the "Python Semantic Release - Alpha" step,
and remove the `alpha` references from the PyPI-publish condition, the
`run-name`, and the `publish-docs` guard. In `pyproject.toml`: remove
`[tool.semantic_release.branches.alpha]` and the `release-dry-run-alpha`
poe task. The release model becomes `main` to beta plus
`workflow_dispatch` to production.
- The existing `alpha` branch and the historical `v*-alpha.*` tags and
releases are left in place.

## Why

- Pinning actions to SHAs protects the supply chain against
tag-retargeting attacks, and bumping to latest keeps runtimes (Node 24)
and features current. Each bump was checked against this repo's usage;
none introduce breaking changes for how the actions are used here. All
workflows run on GitHub-hosted `ubuntu-latest`, so the higher minimum
runner versions that the Node 24 bumps require are satisfied
automatically.
- The DevPortal importer pulls each library's "Latest" docs from the
`docs-latest` release, which is only refreshed by non-tag runs. The
workflow previously triggered on a temporary feature branch, so
`docs-latest` went stale and the portal kept serving outdated docs.
Triggering on `main` keeps it current.
- A `[skip ci]` directive in a commit message suppresses every workflow
for that push, including the tag push, because the tag points to the
bump commit. That is why no `vX.Y.Z` release had a
`devportal-docs.tar.gz`. `skip-checks: true` is not honored by GitHub
Actions as a skip, so the tag push fires the docs workflow.
- The `alpha` prerelease channel is being retired. Removing its triggers
and release config stops further `*-alpha.*` publishes and CI runs on
that branch, while leaving the existing alpha history intact.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

[skip ci] Automatically generated by python-semantic-release

BREAKING CHANGE: update algokit-utils-py to latest v5 beta

---------

Co-authored-by: Daniel McGregor <daniel.mcgregor@makerx.com.au>
Co-authored-by: Neil Campbell <neil.campbell@makerx.com.au>
Co-authored-by: Hoang Dinh <patrick.dinh@makerx.com.au>
Co-authored-by: semantic-release <semantic-release>
Co-authored-by: Luca Martini <luca.martini@algorand.foundation>
Co-authored-by: mrcointreau <45950216+mrcointreau@users.noreply.github.com>
Co-authored-by: David Rojas <lempira@gmail.com>
Co-authored-by: David Rojas <lempira@users.noreply.github.com>