chore: pin GitHub Actions to commit SHAs for security compliance (#5512)

This PR updates all GitHub Actions workflows to use full-length commit
SHAs instead of version tags to comply with GitHub's security
requirement for pinned actions.

## Background

GitHub now provides an option to "Require actions to be pinned to a
full-length commit SHA" in repository settings for enhanced security.
This prevents potential supply chain attacks by ensuring workflows use
specific, immutable versions of actions rather than mutable tags that
could be changed by attackers.

## Changes Made

Updated both `.github/workflows/ci.yml` and
`.github/workflows/release.yml` to pin all actions:

- `actions/checkout@v5` →
`actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8`
- `actions/setup-node@v5` →
`actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444`
- `pnpm/action-setup@v4` →
`pnpm/action-setup@36de12bed180fa130ed56a35e7344f2fa7a820ab`
- `actions/github-script@v8` →
`actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd`
- `codecov/codecov-action@v5` →
`codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7`

Each action now includes an inline comment showing the original version
(e.g., `# v5`) for maintainability and easy reference when updating in
the future.

## Validation

- ✅ All workflows are syntactically valid
- ✅ Build and lint processes continue to work correctly
- ✅ No functional changes to CI/CD behavior

This is a security-focused maintenance update with no impact on
functionality.

Fixes #5506.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 Share your feedback on Copilot coding agent for the chance to win a
$200 gift card! Click
[here](https://survey3.medallia.com/?EAHeSx-AP01bZqG0Ld9QLQ) to start
the survey.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>
Co-authored-by: MK (fengmk2) <fengmk2@gmail.com>

Author: Copilot

.github/workflows/ci.yml

@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Cancel running workflows on PR close/merge
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const { owner, repo } = context.repo;
@@ -61,13 +61,13 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@36de12bed180fa130ed56a35e7344f2fa7a820ab # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: '22'
           cache: 'pnpm'
@@ -97,13 +97,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@36de12bed180fa130ed56a35e7344f2fa7a820ab # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: ${{ matrix.node }}
           cache: 'pnpm'
@@ -117,7 +117,7 @@ jobs:
       - name: Code Coverage
         # skip on windows, it will hangup on codecov
         if: ${{ matrix.os != 'windows-latest' }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         with:
           use_oidc: true
 
@@ -137,13 +137,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@36de12bed180fa130ed56a35e7344f2fa7a820ab # v4
 
       - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: ${{ matrix.node }}
           cache: 'pnpm'
@@ -157,6 +157,6 @@ jobs:
       - name: Code Coverage
         # skip on windows, it will hangup on codecov https://github.com/codecov/codecov-action/issues/1787
         if: ${{ matrix.os != 'windows-latest' }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         with:
           use_oidc: true

.github/workflows/release.yml

@@ -55,18 +55,18 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: ${{ github.event.inputs.branch }}
           fetch-depth: 0
           # Use git token for checkout and pushing
           token: ${{ secrets.GIT_TOKEN }}
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@36de12bed180fa130ed56a35e7344f2fa7a820ab # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: '22'
           cache: 'pnpm'
@@ -141,7 +141,7 @@ jobs:
 
       - name: Create GitHub Release (draft)
         if: ${{ github.event.inputs.dry_run != 'true' }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           github-token: ${{ secrets.GIT_TOKEN }}
           script: |