chore: [SEC-7924] pin third-party GitHub Actions to commit SHAs (#429)

## Summary

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks.

Addresses findings from the
[`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml)
Semgrep rule.

## Test plan

- [ ] Verify CI passes with pinned action SHAs

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low-risk security hardening that only changes workflow `uses:`
references, but a bad/obsolete SHA could break CI/publish pipelines at
runtime.
> 
> **Overview**
> Pins multiple third-party GitHub Actions in CI/release workflows
(Android, DevSkim, .NET, Elixir, Go, Java, Python, Ruby, Rust, PHP) from
floating tags (e.g. `@v1`/`@v2`/`@v3`) to full commit SHAs.
> 
> This reduces GitHub Actions supply-chain risk without changing
build/test logic, but makes workflow execution dependent on the
specified action revisions.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2594cdd. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
<!-- ld-jira-link -->
---
Related Jira issue: [SEC-7924: Unpinned GitHub Actions
remediation](https://launchdarkly.atlassian.net/browse/SEC-7924)
<!-- end-ld-jira-link -->

Author: pkaeding

.github/actions/publish-android-sdk/action.yml

@@ -39,7 +39,7 @@ runs:
               java-version: ${{ inputs.java_version }}
 
         - name: Setup Android SDK
-          uses: android-actions/setup-android@v3
+          uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3
 
         - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
           name: Get secrets

.github/workflows/devskim.yml

@@ -25,7 +25,7 @@ jobs:
                   token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Run DevSkim scanner
-              uses: microsoft/DevSkim-Action@v1
+              uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1
               with:
                   ignore-globs: '**/otel/samples/**'
 

.github/workflows/dotnet.yml

@@ -56,7 +56,7 @@ jobs:
                   dotnet-version: 8.x
 
             - name: Setup dotnet
-              uses: microsoft/setup-msbuild@v2
+              uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2
 
             - name: msbuild restore
               run: msbuild -t:Restore

.github/workflows/elixir-sdk.yml

@@ -24,7 +24,7 @@ jobs:
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
             - name: Setup Elixir
-              uses: erlef/setup-beam@v1
+              uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
               with:
                   elixir-version: ${{ env.ELIXIR_VERSION }}
                   otp-version: ${{ env.OTP_VERSION }}
@@ -41,7 +41,7 @@ jobs:
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
             - name: Setup Elixir
-              uses: erlef/setup-beam@v1
+              uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
               with:
                   elixir-version: ${{ env.ELIXIR_VERSION }}
                   otp-version: ${{ env.OTP_VERSION }}
@@ -63,12 +63,12 @@ jobs:
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
             - name: Setup Elixir
-              uses: erlef/setup-beam@v1
+              uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1
               with:
                   elixir-version: ${{ env.ELIXIR_VERSION }}
                   otp-version: ${{ env.OTP_VERSION }}
             - name: Publish to Hex
-              uses: synchronal/hex-publish-action@v3
+              uses: synchronal/hex-publish-action@2e73c1e570ae96dcfe548b498df7c8c1942a3100 # v3
               with:
                   name: highlight
                   key: ${{ secrets.HEX_PM_KEY }}

.github/workflows/go-sdk.yml

@@ -25,7 +25,7 @@ jobs:
                   go-version-file: './sdk/highlight-go/go.mod'
                   cache-dependency-path: './sdk/highlight-go/go.sum'
             - name: Format
-              uses: Jerome1337/gofmt-action@v1.0.5
+              uses: Jerome1337/gofmt-action@d5eabd189843f1d568286a54578159978b7c0fb1 # v1.0.5
               with:
                   gofmt-path: './sdk/highlight-go'
                   gofmt-flags: '-l -d'
@@ -44,7 +44,7 @@ jobs:
                   go-version-file: './sdk/highlight-go/go.mod'
                   cache-dependency-path: './sdk/highlight-go/go.sum'
             - name: Run linter
-              uses: golangci/golangci-lint-action@v6.4.1
+              uses: golangci/golangci-lint-action@818ec4d51a1feacefc42ff1b3ec25d4962690f39 # v6.4.1
               with:
                   args: -v --config ./.golangci.yaml
                   working-directory: sdk/highlight-go

.github/workflows/java-sdk.yml

@@ -152,7 +152,7 @@ jobs:
                   retention-days: 1
 
             - name: Publish Test Report
-              uses: mikepenz/action-junit-report@v4
+              uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4
               with:
                   commit: ${{github.event.workflow_run.head_sha}}
                   report_paths: '**/target/surefire-reports/TEST-*.xml'

.github/workflows/python-plugin.yml

@@ -33,7 +33,7 @@ jobs:
                   python-version: '3.10'
 
             - name: Install poetry
-              uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+              uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439
 
             - run: make install
             - name: Lint
@@ -42,7 +42,7 @@ jobs:
               run: make test
             - name: Get Cover
               if: github.event_name == 'pull_request'
-              uses: orgoro/coverage@v3
+              uses: orgoro/coverage@d77626a5fa35d39123e86d6c62907fabe2491496 # v3
               with:
                   coverageFile: ./sdk/@launchdarkly/observability-python/coverage.xml
                   token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python.yml

@@ -40,7 +40,7 @@ jobs:
               run: poetry run pytest --cov=highlight_io --cov-branch --cov-report xml
             - name: Get Cover
               if: github.event_name == 'pull_request'
-              uses: orgoro/coverage@v3
+              uses: orgoro/coverage@d77626a5fa35d39123e86d6c62907fabe2491496 # v3
               with:
                   coverageFile: ./sdk/highlight-py/coverage.xml
                   token: ${{ secrets.GITHUB_TOKEN }}
@@ -53,7 +53,7 @@ jobs:
                   python -m piptools compile --upgrade pyproject.toml;
             - name: Publish
               if: github.ref == 'refs/heads/main'
-              uses: pypa/gh-action-pypi-publish@release/v1
+              uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
               with:
                   packages-dir: ./sdk/highlight-py/dist/
                   skip-existing: true

.github/workflows/ruby.yml

@@ -24,14 +24,14 @@ jobs:
             - uses: actions/checkout@v4
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
-            - uses: dorny/paths-filter@v2
+            - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2
               id: filter
               with:
                   filters: |
                       ruby-changed:
                         - 'sdk/highlight-ruby/**'
             - name: Install Ruby
-              uses: ruby/setup-ruby@v1
+              uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
               with:
                   ruby-version: ${{ matrix.ruby }}
                   bundler-cache: true # runs 'bundle install' and caches installed gems automatically
@@ -63,7 +63,7 @@ jobs:
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
             - name: Install Ruby
-              uses: ruby/setup-ruby@v1
+              uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
               with:
                   ruby-version: '3.3.4'
                   bundler-cache: true # runs 'bundle install' and caches installed gems automatically
@@ -84,7 +84,7 @@ jobs:
               with:
                   token: ${{ secrets.GITHUB_TOKEN }}
             - name: Install Ruby
-              uses: ruby/setup-ruby@v1
+              uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
               with:
                   ruby-version: '3.3.4'
                   bundler-cache: true # runs 'bundle install' and caches installed gems automatically

.github/workflows/rust-sdk.yml

@@ -29,13 +29,13 @@ jobs:
                   token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Install Rust toolchain
-              uses: actions-rs/toolchain@v1
+              uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1
               with:
                   toolchain: stable
                   override: true
 
             - name: Build crates
-              uses: katyo/publish-crates@v2
+              uses: katyo/publish-crates@02cc2f1ad653fb25c7d1ff9eb590a8a50d06186b # v2
               with:
                   path: ./sdk/highlight-rust/
                   dry-run: true
@@ -53,13 +53,13 @@ jobs:
                   token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Install Rust toolchain
-              uses: actions-rs/toolchain@v1
+              uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1
               with:
                   toolchain: stable
                   override: true
 
             - name: Publish crates
-              uses: katyo/publish-crates@v2
+              uses: katyo/publish-crates@02cc2f1ad653fb25c7d1ff9eb590a8a50d06186b # v2
               with:
                   path: ./sdk/highlight-rust/
                   registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}