chore: [SEC-7924] pin third-party GitHub Actions to commit SHAs (#668)

[SEC-7924] chore: pin third-party GitHub Actions to commit SHAs

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.

Author: pkaeding

.github/actions/publish/action.yml

@@ -32,9 +32,9 @@ runs:
   using: composite
   steps:
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
     - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       with:
         platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386
     - name: Set up goreleaser

.github/workflows/check-openapi-updates.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Send Slack notification
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         env:
           SLACK_CHANNEL: proj-cli
           SLACK_COLOR: ${{ job.status }}

.github/workflows/go.yml

@@ -24,6 +24,6 @@ jobs:
       run: go build .
 
     - uses: actions/setup-python@v3
-    - uses: pre-commit/action@v3.0.1
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
     - name: test
       run: go test ./...

.github/workflows/release-please.yml

@@ -14,7 +14,7 @@ jobs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
     steps:
-      - uses: google-github-actions/release-please-action@v4
+      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
         id: release
         with:
           token: ${{secrets.GITHUB_TOKEN}}