[Backport 2.19] Pin GitHub Actions to commit SHAs (#12041)

[angle943]

Backport of #12041 to 2.19.

What

Pins every GitHub Actions uses: reference in the workflow files to a full commit SHA (with the version retained as a trailing comment), hardening CI against supply-chain tag-mutation attacks. This unblocks the 2.19 CI check that fails when actions are not pinned to SHAs.

Why this is a manual port (not a clean cherry-pick)

2.19's workflows have diverged from main:

• 9 of the 16 workflow files in Pin GitHub Actions to commit SHAs #12041 do not exist on 2.19 (they are main-only), so they are intentionally excluded.
• 2.19 has opensearch_changelog_workflow.yml, which main lacks — it is included here.
• Several actions are at older major versions on 2.19 than on main.

So instead of cherry-picking, the pinning was applied directly to the 8 workflow files present on 2.19 (68 references total).

SHA sourcing

• For action versions shared with main, the exact SHAs from Pin GitHub Actions to commit SHAs #12041 are reused.
• For versions unique to 2.19, SHAs were resolved from each action's upstream tag: actions/checkout v2/v3, actions/setup-node v2/v3, actions/setup-java v3, actions/cache v3, actions/download-artifact v4.1.7, cypress-io/github-action v2, and BigSamu/OpenSearch_Changelog_Workflow 1.0.0-alpha1.

Testing

• All 8 workflow files validate as YAML.
• Verified every uses: reference across .github/workflows/ is now SHA-pinned (0 remaining tag refs).
• Diff is a symmetric 68 insertions / 68 deletions (reference pinning only; no logic changes).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.10%. Comparing base (05be93b) to head (fcb5015).
⚠️ Report is 2 commits behind head on 2.19.

Additional details and impacted files

@@            Coverage Diff             @@
##             2.19   #12265      +/-   ##
==========================================
- Coverage   61.12%   61.10%   -0.02%     
==========================================
  Files        3815     3815              
  Lines       91567    91594      +27     
  Branches    14475    14484       +9     
==========================================
  Hits        55973    55973              
- Misses      32030    32055      +25     
- Partials     3564     3566       +2     

Flag	Coverage Δ
Linux_2	56.61% <ø> (ø)
Linux_4	29.16% <ø> (ø)
Windows_1	29.12% <ø> (ø)
Windows_2	56.56% <ø> (ø)
Windows_3	38.04% <ø> (-0.02%)	⬇️
Windows_4	29.16% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔗 Workflow run · commit fcb5015962091e7351c6df73347e45a88ca121ca