security: Pin GitHub Actions to specific git revisions

[platform-change-automation]

Summary

This change improves our supply chain security by pinning all third-party GitHub Actions to specific git revisions using pinact.

Why this matters

When GitHub Actions are referenced by mutable tags like @v3 or @main, the actual code being executed can change without notice. This creates security risks:

1. A compromised action could introduce malicious code
2. Breaking changes could be introduced unexpectedly
3. Build reproducibility is compromised

What changed

• All third-party GitHub Actions references now use immutable SHA references (@{sha}) instead of mutable tags
• The original tag is preserved as a trailing comment so humans can still see the version
• Internal actions from the mdsol organization are left untouched via pinact's --exclude '^mdsol/' flag
• Future updates can be managed with pinact run to refresh SHAs against the version comments

Testing

This change does not modify the behavior of the workflows, only pins them to specific revisions. Workflows will continue to function as before, but with improved security and reproducibility.

References

• GitHub Security Best Practices: Supply chain
• pinact Documentation

---

This change was made automatically using the batch changes tool that @johnduhart is working on.
🔗 Changeset Specification