chore: pin GitHub Actions to commit SHAs

[BGos87]

Summary

Pin every uses: ref in .github/workflows/ (and any composite action
files) to a full 40-character commit SHA, with the original tag
preserved as a # vX comment.

Why

Tags and branches are mutable, so a compromised action can replace what
runs in our pipelines without changing the tag we reference. Pinning to
a SHA closes that supply-chain vector. See GitHub's hardening guide:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.

Deadline

TechOps is enforcing SHA-pinned GitHub Actions across the org by
June 8, 2026. Merging this PR brings the repo into compliance ahead
of the cut-over; after that date workflows that still reference
mutable tags or branches will be blocked from running.

How

Generated mechanically with pinact run.
No version bumps were applied (strict pin); follow-up upgrades can come
from Renovate or a separate pinact run -u PR.

Test plan

• CI green on this branch

---

Note

Low Risk
Low functional risk (no runtime code changes), but CI could break if any pinned SHAs are incorrect or action outputs/behavior subtly differ from the previously referenced tags.

Overview
Pins GitHub Actions dependencies across CI. Replaces mutable uses: ...@vX / @main refs in .github/workflows/* and composite actions with full commit SHAs, preserving the original version as a comment.

This includes core actions like actions/checkout, actions/upload-artifact/download-artifact, actions/setup-node, actions/setup-go, caching actions, and a few workflow-specific actions (e.g., CodeQL SARIF upload, release creation/upload, stale bot), reducing supply-chain risk from tag/branch retargeting.

^{Reviewed by Cursor Bugbot for commit 54aa54e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​actions/​stale@​3a9db7e6a41a89f618792c92c0e97cc736e1b13f ⏵ b5d41d4e1d5dceea10e7104786b73624c18a190f

View full report

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.18%. Comparing base (4f42a8a) to head (54aa54e).

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #3057      +/-   ##
============================================
- Coverage     77.19%   77.18%   -0.01%     
  Complexity     7003     7003              
============================================
  Files          1121     1121              
  Lines         44508    44508              
  Branches       5355     5355              
============================================
- Hits          34356    34355       -1     
- Misses         8785     8786       +1     
  Partials       1367     1367              

Flag	Coverage Δ		*Carryforward flag
hardhat	96.17% <ø> (ø)
kotlin	55.85% <ø> (-0.01%)	⬇️
lido-governance-monitor	97.61% <ø> (ø)
linea-native-libs	90.69% <ø> (ø)
linea-shared-utils	96.18% <ø> (ø)
native-yield-automation-service	97.68% <ø> (ø)
postman	99.92% <ø> (ø)
sdk-core	98.09% <ø> (ø)
sdk-ethers	89.83% <ø> (ø)
sdk-viem	99.45% <ø> (ø)
tracer	88.56% <ø> (ø)		Carriedforward from 4f42a8a

*This pull request uses carry forward flags. Click here to find out more.
see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.