chore: secure github actions using hash instead of versions

[jeromevdl]

Issue #, if available:

Description of changes:

Replace all explicit versions with hashes to pin to a specific version.

Checklist

• Meet tenets criteria
• Update tests
• Update docs
• PR title follows conventional commit semantics

Breaking change checklist

RFC issue #:

• Migration process documented
• Implement warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.93%. Comparing base (1261e58) to head (8a90e41).
⚠️ Report is 691 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #1232      +/-   ##
============================================
- Coverage     79.35%   78.93%   -0.43%     
- Complexity      641      652      +11     
============================================
  Files            73       74       +1     
  Lines          2446     2506      +60     
  Branches        253      259       +6     
============================================
+ Hits           1941     1978      +37     
- Misses          425      446      +21     
- Partials         80       82       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[scottgerring]

I think this is an improvement on how it is today and we should merge it.

I also think in a subsequent task it is worth digging into the smaller 3rd party actions - e.g. ahmadnassri/action-workflow-run-wait, release-drafter/release-drafter, and jacobtomlinson/gha-find-replace and checking if we can't get away with some github 1st party action, or, a powertools shared action, or failing the previous options reviewing the code of the thing.

[scottgerring]

@jeromevdl I think we should merge this - wdyt?

[jeromevdl]

agree!

[jeromevdl]

except that build fails without clear reason why...

[jeromevdl]

except that build fails without clear reason why...

It was because of the docs.yaml deleted by @kozub, the merge didn't work well... I've deleted it.

[sthulb]

This can be merged assuming the code at each of the hashes has been reviewed to be safe.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information