Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/setup-ffmpeg/action.yml:
- Around line 31-33: Add archive integrity verification before extracting
downloaded FFmpeg zips: after each curl that writes ffmpeg.zip (the command
using "https://www.osxexperts.net/ffmpeg${FF_VERSION}arm.zip" and the other
similar curl invocations referenced), also download the corresponding SHA-256
checksum or signature from a trusted source, compute the local checksum (e.g.,
using shasum -a 256 or sha256sum) for the saved ffmpeg.zip, compare it to the
trusted checksum and fail the action if they differ, and only proceed to
unzip/extract when the verification succeeds; apply the same checksum
download+verify flow to the other curl blocks mentioned (lines 36-38 and 45-47)
so every downloaded archive is verified before extraction.
- Around line 31-33: The curl downloads for FFmpeg currently don't treat HTTP
4xx/5xx as errors, so add the --fail flag to the curl invocations that fetch
"https://www.osxexperts.net/ffmpeg${FF_VERSION}arm.zip" (and the other two
FFmpeg download curl commands referenced nearby) so HTTP errors trigger the
configured --retry/--retry-delay and fail fast before unzip; keep the existing
flags (-sS -L --retry 3 --retry-delay 5) and simply insert --fail into those
curl command arguments.