harden remind-docs-and-tests workflow

- SHA-pin wow-actions/auto-comment@v1
- deny GITHUB_TOKEN by default, grant pull-requests:write to the comment job

Made-with: Cursor

Author: GuyEshdat

.github/workflows/remind-docs-and-tests.yml

@@ -2,11 +2,15 @@ name: Remind docs and tests
 on:
   pull_request_target:
     branches: ["master"]
+permissions: {}
 jobs:
   run:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      - uses: wow-actions/auto-comment@v1
+      - uses: wow-actions/auto-comment@2fc064c21cfb2505de3c5c10e1473b8eb7beca1a # v1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           pullRequestOpened: |