harden remind-docs-and-tests workflow (#994)

* harden remind-docs-and-tests workflow
- SHA-pin wow-actions/auto-comment@v1
- deny GITHUB_TOKEN by default, grant pull-requests:write to the comment job
* match elementary-data/elementary#2210 SHA-pin comment convention

Author: GuyEshdat

.github/workflows/remind-docs-and-tests.yml

@@ -2,11 +2,16 @@ name: Remind docs and tests
 on:
   pull_request_target:
     branches: ["master"]
+permissions: {}
 jobs:
   run:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: wow-actions/auto-comment@v1
+      # wow-actions/auto-comment v1.1.2, checked 2026-04-26.
+      - uses: wow-actions/auto-comment@2fc064c21cfb2505de3c5c10e1473b8eb7beca1a
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           pullRequestOpened: |