Pin third-party GitHub Actions to commit SHA hashes

[Copilot]

Pull Request

Please add description for changes you are making

Pinned all third-party GitHub Actions to full commit SHA1 hashes to prevent supply chain attacks where version tags could be retargeted.

Changes:

• Replaced version tags with 40-character commit SHAs for 17 unique actions across 18 workflow files
• Added inline comments documenting original version (e.g., # v5) for each SHA reference
• Updated CHANGELOG.md with Security section entry referencing issue Use Git Commit SHA1 for all third party GitHub Actions #643

Example:

# Before
uses: actions/checkout@v5

# After  
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

If there is an issue related to this PR, please add the reference

Fixes #643

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Use Git Commit SHA1 for all third party GitHub Actions</issue_title>
<issue_description># ## Sensitive Code Example

# name: Example

# 

# on:

#   pull\_request:

# 

# jobs:

#   example:

#     runs-on: ubuntu-latest

#     steps:

#       - uses: docs/example-action@main  # Sensitive

## Compliant Solution

Use the full commit hash as a reference to pin the version.

```yaml

name: Example

on:

  pull_request:

jobs:

  example:

  runs-on: ubuntu-latest

  steps:

  - uses: docs/example-action@b16d2601a6b948e2fb26f3772276581f31daa7cd

</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
</comments>

• Fixes Use Git Commit SHA1 for all third party GitHub Actions #643

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[baynezy]

@copilot please add the issue number to the changelog entry

[github-actions]

Test Results

201 tests  ±0   201 ✅ ±0   2s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 930ae6e. ± Comparison against base commit 1a2f4c4.

[sonarqubecloud]

Quality Gate failed

Failed conditions
5 Security Hotspots
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[Copilot]

@copilot please add the issue number to the changelog entry

Added issue number #643 to the changelog entry in commit b7aff1d.