[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security

[juliendoutre]

🔒 Security Enhancement: GitHub Actions Pinning

📋 What This PR Does

This PR automatically pins GitHub Actions references from tag-based versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...) while preserving the original tag as a comment for readability.
No functional changes to your workflows - they'll work exactly the same way

🎯 Why This Matters

Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.

🤖 Keep Actions Updated with Dependabot

Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:

Create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "chore"
      include: "scope"

This will:

• 🔄 Check for action updates weekly
• 📬 Create PRs automatically when newer versions are available
• 🏷️ Update both the SHA hash and the comment with the new tag
• 🎯 Keep your actions secure AND up-to-date

🤝 Questions or Concerns?

For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.

---

This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.

[github-actions]

⚠️ Recommendation: Add qa/skip-qa Label

This PR does not modify any files shipped with the agent.

To help streamline the release process, please consider adding the qa/skip-qa label if these changes do not require QA testing.