chore: pin github actions by commit hash

[ankpshah]

• PR title and description conform to Pull Request guidelines.

Issue #, if available:

*Description of changes: Pin github actions by commit hash.

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Reference: Security hardening for GitHub Actions

How did you test these changes?
(Please add a line here how the changes were tested)

Documentation update required?

• No
• Yes (Please include a PR link for the documentation update)

General Checklist

• Added Unit Tests
• Added Integration Tests
• Security oriented best practices and standards are followed (e.g. using input sanitization, principle of least privilege, etc)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov-commenter]

Codecov Report

Merging #2648 (3bd0af5) into main (1bfe8e0) will decrease coverage by 0.01%.
Report is 2 commits behind head on main.
The diff coverage is n/a.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2648      +/-   ##
==========================================
- Coverage   41.81%   41.80%   -0.01%     
==========================================
  Files         902      902              
  Lines       28996    28996              
  Branches     4107     4107              
==========================================
- Hits        12124    12123       -1     
- Misses      15543    15544       +1     
  Partials     1329     1329              

[tjleing]

preliminary approval. would be nice to actually understand why the tests are failing