build: SHA-pin GitHub Actions for supply-chain security (#294)

* build: SHA-pin GitHub Actions for supply-chain security

Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola <jimisola@jimisola.com>

* build: remove shared workflow SHA pin

Revert check-semantic-pr.yml — shared workflow pinning will be handled
separately via semver tagging of the .github repo.

Signed-off-by: jimisola <jimisola@jimisola.com>

---------

Signed-off-by: jimisola <jimisola@jimisola.com>
Co-authored-by: Jimisola Laursen <jimisola.laursen@resurs.se>

Author: jimisola

.github/workflows/release_prod.yml

@@ -37,7 +37,7 @@ jobs:
           path: dist
 
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           sign-artifacts: true
 

.github/workflows/release_test.yml

@@ -28,7 +28,7 @@ jobs:
           name: dist
           path: dist
       - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           repository-url: https://test.pypi.org/legacy/
           sign-artifacts: true