Pin GitHub Actions to commit SHAs

[Divyaasm]

Description

Pin all GitHub Action tag references to their corresponding commit SHAs.

Tags are mutable references that can be force-pushed to point to different commits, making them vulnerable to supply chain attacks. Commit SHAs are immutable and guarantee that the exact reviewed code is executed in CI workflows. This change pins all third-party actions to their current commit SHAs to prevent potential tampering.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 6fef1d8.

Path	Line	Severity	Description
.github/workflows/auto-release.yml	16	high	tibdex/github-app-token pinned to SHA 1901dc7d52169e70c27a8da37aef0d423e2867a2. This third-party action has access to APP_ID and APP_PRIVATE_KEY secrets. The SHA must be independently verified to correspond to the claimed v1.5.0 tag.
.github/workflows/auto-release.yml	21	high	dawidd6/action-get-tag pinned to SHA 727a6f0a561be04e09013531e73a3983a65e3479. Third-party action change; SHA authenticity against the v1 tag must be verified by maintainers.
.github/workflows/auto-release.yml	23	high	ncipollo/release-action pinned to SHA 339a81892b84b4eeb0f6e744e4574d79d0d9b8dd. This action uses the GitHub App token and creates releases; SHA must be verified against the v1 tag.
.github/workflows/backport.yml	25	high	VachaShah/backport pinned to SHA 28c49d91ceec57d7c9f625f1031c1a4d637251f5. Third-party action with access to the GitHub App token; SHA must be verified against tag v1.1.4.
.github/workflows/delete_backport_branch.yml	14	high	SvanBoxel/delete-merged-branch pinned to SHA 2b5b058e3db41a3328fd9a6a58fd4c2545a14353. Previously used @main (mutable); the SHA replacing it must be verified as the intended commit.
.github/workflows/maven-publish.yml	31	high	1password/load-secrets-action pinned to SHA 581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0. This action exports secrets as environment variables including Maven and AWS credentials; SHA must be verified against v2.
.github/workflows/CI-workflow.yml	72	high	aws-actions/configure-aws-credentials pinned to SHA 7474bc4690e29a8392af63c5b98e7449536d5c3a. This action assumes an IAM role; SHA must be verified against the v4 tag.
.github/workflows/CI-workflow.yml	93	high	codecov/codecov-action pinned to SHA ab904c41d6ece82784817410c45d8b8c02684457 (v3) and b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 (v4). Codecov actions have been previously abused in supply chain attacks; both SHAs must be verified.
.github/workflows/CI-workflow.yml	18	high	opensearch-project/opensearch-build reusable workflows pinned to SHA c2498b758c08fb7bc48476509a5fc1b8dd5f7493 (replacing @main). SHA must be verified as the intended main branch commit.
.github/workflows/draft-release-notes-workflow.yml	14	high	release-drafter/release-drafter pinned to SHA 09c613e259eb8d4e7c81c2cb00618eb5fc4575a7. Third-party action change; SHA must be verified against the v5 tag.

The table above displays the top 10 most important findings.

Total: 19 | Critical: 0 | High: 19 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.