Pin GitHub Actions to full commit SHAs

[Xeboc]

Pins all uses: references in workflow files to full commit SHAs. This allows users with org-level or repo-level SHA enforcement policies to use this action without policy violations caused by unpinned downstream dependencies.

This came up while working on a similar change to trunk-io/trunk-action (trunk-io/trunk-action#291), where trunk pulls in create-pull-request. Even when trunk itself is pinned to a full SHA, the enforcement policy still fails on unpinned uses: in its dependencies:

Download action repository 'trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b' (SHA:75699af9e26881e564e9d832ef7dc3af25ec031b)
Getting action download info
Error: The actions actions/checkout@v4, peter-evans/find-comment@v3, peter-evans/create-or-update-comment@v4,
actions/cache@v4, actions/upload-artifact@v4, and 1 other are not allowed in testing/ci-cd-testing
because all actions must be pinned to a full-length commit SHA.

Unpinned action references are also a supply chain risk, as a tag can be moved to point to a different commit at any time. The recent Trivy advisory is a good example of how this attack surface gets exploited in practice.

If this one is merged, would you also accept PRs for the rest of your published actions? Dependabot will upgrade these SHAs automatically when it runs. Pinact was used to find these SHAs quickly.