[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security (#150)

## 🔒 Security Enhancement: GitHub Actions Pinning

### 📋 What This PR Does
This PR automatically pins GitHub Actions references from tag-based
versions (e.g., `@v4`) to their corresponding SHA hashes (e.g.,
`@abc123...`) while preserving the original tag as a comment for
readability.
No functional changes to your workflows - they'll work exactly the same
way

### 🎯 Why This Matters
**Supply Chain Security**: Pinning GitHub Actions to specific SHA hashes
prevents supply chain security and reliability risks because git tags
are mutable and can be moved to point to different commits by malicious
actors or maintainers, potentially introducing vulnerabilities or
breaking changes into workflows.

### 🤖 Keep Actions Updated with Dependabot
Now that your actions are pinned to SHA hashes, you can enable
Dependabot to automatically create PRs when new versions are available.
Add this configuration to your repository:

**Create or update `.github/dependabot.yml`:**
```yaml
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "chore"
      include: "scope"
```

This will:
- 🔄 Check for action updates weekly
- 📬 Create PRs automatically when newer versions are available
- 🏷️ Update both the SHA hash and the comment with the new tag
- 🎯 Keep your actions secure AND up-to-date

### 🤝 Questions or Concerns?
For any questions about this security enhancement, please reach out to
the **SDL Security team** in the **#sdlc-security** Slack channel.

---
*This PR was automatically generated by the GitHub Actions Pinning Tool
as part of our ongoing security improvements.*

Author: juliendoutre

.github/workflows/_test_bare_metal.yml

@@ -37,8 +37,8 @@ jobs:
     name: ${{ matrix.runs-on }} ${{ matrix.go-version }}${{ matrix.waf-log-level && format(' (DD_APPSEC_WAF_LOG_LEVEL={0})', matrix.waf-log-level) || '' }}
     runs-on: ${{ matrix.runs-on }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ matrix.go-version }}
           cache: true

.github/workflows/_test_containerized.yml

@@ -9,12 +9,12 @@ jobs:
       stable: ${{ steps.stable.outputs.go-version }}
       oldstable: ${{ steps.oldstable.outputs.go-version }}
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         id: oldstable
         with:
           go-version: 'oldstable'
           cache: false
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         id: stable
         with:
           go-version: 'stable'
@@ -43,8 +43,10 @@ jobs:
     # We use ARM runners when needed to avoid the performance hit of QEMU
     runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || 'ubuntu-24.04-arm' }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/go/pkg/mod
           key: go-pkg-mod-${{ hashFiles('**/go.mod') }}