ci: pin Blacksmith actions to full commit SHAs

Match the action-hardening policy (d2ddf9f) by replacing the floating
@v5 / @v1 refs introduced in earlier rollout commits with full 40-char
commit SHAs and a trailing "# v<N>" comment, matching the format
already used for actions/checkout, actions/setup-node, actions/setup-go,
oven-sh/setup-bun, etc.

Resolved tag SHAs (via git ls-remote, 2026-05-19):
  useblacksmith/cache       v5 -> 71c7c918062ba3861252d84b07fe5ab2a6b467a6
  useblacksmith/setup-node  v5 -> 65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391
  useblacksmith/setup-go    v5 -> f12a3dabb4171193018e496855e47349b360c056
  useblacksmith/checkout    v1 -> 41cdeedae8edb2e684ba22896a5fd2a3cb85db6b

Dependabot (github-actions ecosystem) already groups major bumps in
.github/dependabot.yml, so these will get automated updates the same
way the upstream actions do.

Author: claude

.github/actions/setup/action.yml

@@ -11,7 +11,7 @@ runs:
 
     - name: Restore Bun toolchain cache
       id: bun-toolchain-cache
-      uses: useblacksmith/cache@v5
+      uses: useblacksmith/cache@71c7c918062ba3861252d84b07fe5ab2a6b467a6 # v5
       with:
         path: /opt/hostedtoolcache/bun
         key: bun-toolchain-${{ runner.os }}-${{ runner.arch }}-${{ env.BUN_VERSION }}
@@ -39,7 +39,7 @@ runs:
       run: bun --version
 
     - name: Install Node.js
-      uses: useblacksmith/setup-node@v5
+      uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5
       with:
           node-version-file: .nvmrc
           package-manager-cache: false
@@ -49,7 +49,7 @@ runs:
       run: npm install --global --force corepack && corepack enable
 
     - name: Configure dependency cache
-      uses: useblacksmith/setup-node@v5
+      uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5
       with:
         cache: pnpm
 

.github/workflows/cli-go-ci.yml

@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: useblacksmith/setup-go@v5
+      - uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache: true
@@ -60,7 +60,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: useblacksmith/setup-go@v5
+      - uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           # Linter requires no cache
@@ -78,7 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: useblacksmith/setup-go@v5
+      - uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache: true
@@ -102,7 +102,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: useblacksmith/setup-go@v5
+      - uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache: true
@@ -118,7 +118,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: useblacksmith/setup-go@v5
+      - uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache: true

.github/workflows/release-shared.yml

@@ -57,7 +57,7 @@ jobs:
         uses: ./.github/actions/setup
 
       - name: Setup Go
-        uses: useblacksmith/setup-go@v5
+        uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache: true

.github/workflows/release.yml

@@ -55,7 +55,7 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: useblacksmith/checkout@v1
+      - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
@@ -97,7 +97,7 @@ jobs:
       # Authorization header overrides the App token semantic-release puts in
       # the push URL — making the dry-push identify as `github-actions[bot]`
       # and get rejected by branch protection.
-      - uses: useblacksmith/checkout@v1
+      - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
         with:
           fetch-depth: 0
           persist-credentials: false

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
       - name: Setup Go
-        uses: useblacksmith/setup-go@v5
+        uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache-dependency-path: apps/cli-go/go.sum
@@ -57,7 +57,7 @@ jobs:
       - name: Setup
         uses: ./.github/actions/setup
       - name: Setup Go
-        uses: useblacksmith/setup-go@v5
+        uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache-dependency-path: apps/cli-go/go.sum
@@ -80,7 +80,7 @@ jobs:
         shard: [ 1, 2, 3 ]
     steps:
       - name: Checkout
-        uses: useblacksmith/checkout@v1
+        uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
         with:
           fetch-depth: 0
 
@@ -123,7 +123,7 @@ jobs:
       - name: Setup Go
         if: steps.detect.outputs.cli_e2e == 'true' &&
           steps.cache-go-binary.outputs.cache-hit != 'true'
-        uses: useblacksmith/setup-go@v5
+        uses: useblacksmith/setup-go@f12a3dabb4171193018e496855e47349b360c056 # v5
         with:
           go-version-file: apps/cli-go/go.mod
           cache-dependency-path: apps/cli-go/go.sum