ci: pin github actions to commit SHAs for supply-chain safety

replace mutable version tags with full commit SHAs to prevent
upstream retargeting attacks (CWE-494/CWE-829):
- actions/checkout@v5 → 93cb6efe
- actions/setup-go@v6 → 4a360112
- golangci/golangci-lint-action@v9 → 1e7e51e7
- actions/upload-artifact@v4 → ea165f8d

applied to both maas-api-ci.yml and maas-controller-ci.yml.

Signed-off-by: Chaitanya Kulkarni <ckulkarn@redhat.com>
Signed-off-by: Chaitanya Kulkarni <chkulkar@redhat.com>
Made-with: Cursor

Author: chaitanya1731

.github/workflows/maas-api-ci.yml

@@ -21,31 +21,31 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Align golangci-lint version with Makefile
         id: golangci-version
         run: |
           VERSION=$(grep '^GOLANGCI_LINT_VERSION' tools.mk | cut -d'=' -f2 | tr -d ' ?')
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: maas-api/go.mod
           cache: true
           cache-dependency-path: maas-api/go.sum
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
           version: ${{ steps.golangci-version.outputs.version }}
           working-directory: ${{ env.PROJECT_DIR }}
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: ${{ env.PROJECT_DIR }}/go.mod
           cache: true
@@ -55,7 +55,7 @@ jobs:
         run: make test
 
       - name: Upload coverage reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: coverage-reports

.github/workflows/maas-controller-ci.yml

@@ -21,32 +21,32 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Align golangci-lint version with Makefile
         id: golangci-version
         run: |
           VERSION=$(grep '^GOLANGCI_LINT_VERSION' tools.mk | cut -d'=' -f2 | tr -d ' ?')
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: maas-controller/go.mod
           cache: true
           cache-dependency-path: maas-controller/go.sum
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
         with:
           version: ${{ steps.golangci-version.outputs.version }}
           working-directory: ${{ env.PROJECT_DIR }}
 
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: ${{ env.PROJECT_DIR }}/go.mod
           cache: true
@@ -56,7 +56,7 @@ jobs:
         run: make test
 
       - name: Upload coverage reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: maas-controller-coverage