ci: pin actions to full-length commit hashes

[joshuasing]

This pull request pins all GitHub Actions to their full-length commit SHAs. Used GitHub Actions have not been updated, and have been pinned to commit hashes for the latest release matching the existing tag.

The organisation-level setting "Require actions to be pinned to a full-length commit SHA" will be enabled on January 15th, 2026. Once this setting is active, any workflows referencing actions by tag (e.g., @v4) or branch (e.g., @master) will fail to execute.

Additionally, the setting "Allow hemilabs, and select non-hemilabs, actions and reusable workflows" will be enabled on the same date. All third-party actions currently in use by this repository have been recorded and will be permitted. After January 15th, 2026, any new third-party actions must be approved by SecOps before use.

Pinning actions to immutable commit hashes reduces potential for supply chain attacks by:

• Tag mutation attacks (where a malicious actor overwrites a tag with compromised code)
• Unexpected changes from upstream action updates

For more information, please see:

• GitHub Docs: Secure use reference - Pin actions to a full-length commit SHA
• GitHub Well-Architected: Securing GitHub Actions Workflows
• GitHub Blog: Actions policy now supports blocking and SHA pinning

All original version tags are preserved as inline comments for maintainability.

---

This pull request does not update any actions. All actions have been pinned to the most recent commit for the pre-existing tag -- please update actions in a separate pull request if necessary. Pinned actions:

Action	Update	Change
actions/checkout	pin	v4 -> v4.3.1 (34e1148)
actions/setup-node	pin	v4 -> v4.4.0 (49933ea)
foundry-rs/foundry-toolchain	pin	v1 -> v1.6.0 (8b0419c)

Detected third-party actions:

foundry-rs/foundry-toolchain@v1.6.0

[jcvernaleo]

OK