SHA pin first-party GitHub Actions

Pins every actions/* and github/* uses: reference in
.github/workflows to its commit SHA, with the human-readable
version preserved in a trailing comment, matching the convention
already used for third-party actions. Removes the supply-chain
exposure left by floating @vn tags now that dependabot has a
3-day cooldown configured.

Follows cli/cli#13491 (cli/cli) and
cli/cli#13490.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: williammartin

.github/workflows/codeql.yml

@@ -25,21 +25,21 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Go
         if: matrix.language == 'go'
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: "go.mod"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.5
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.5
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/push.yml

@@ -16,11 +16,11 @@ jobs:
     name: Test suite
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Setup go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
       - run: go test -v ./...