fix: pin GitHub Actions to immutable commit SHAs

Mitigates supply chain attacks via tag mutation (CVE-2025-30066)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sionsmith

.github/workflows/generate.yml

@@ -20,8 +20,8 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           cache: npm
@@ -51,7 +51,7 @@ jobs:
 
       - name: Create PR
         if: steps.diff.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6
         with:
           branch: chore/regenerate-types
           commit-message: "chore: regenerate types from updated OpenAPI spec"