Pin GitHub Actions to specific commit SHAs

[dev-platform-overlook]

This PR pins all GitHub Actions to specific commit SHAs for improved security and stability.

Why pin Actions to SHAs?

Using commit SHAs instead of tags or branch names provides several security and stability benefits:

• Security: Prevents potential supply-chain attacks where an action's tag could be moved to malicious code
• Immutability: Ensures the exact same code runs every time, even if tags are moved or deleted
• Auditability: Makes it clear exactly which version of each action is being used
• Stability: Prevents unexpected breaking changes from tag updates

Implementation

• This change uses pinact to automatically pin actions while maintaining human-readable comments showing the original tag reference.
• If required, a Dependabot configuration has also been added/updated to keep the pinned actions up to date.
• If required, a GitHub Actions workflow has been added to check that all actions are pinned in future changes.
• Shared workflows from fac/[ops-]shared-workflows on the main branch are intentionally excluded from pinning.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud