Pin GitHub Actions to commit SHAs

Pin actions/checkout@v4 and actions/setup-go@v5 to their current commit
SHAs to prevent supply chain attacks via compromised mutable tags.

Author: jgowdy

.github/workflows/publish.yml

@@ -12,7 +12,7 @@ jobs:
       image: node:bookworm
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     - name: Install Bun
       run: |
         set -e  # Exit on error

.github/workflows/test.yml

@@ -29,7 +29,7 @@ jobs:
       image: node:bookworm
       options: --ulimit core=-1 --ulimit memlock=-1:-1
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     - name: Install Bun
       run: |
         set -e  # Exit on error
@@ -70,7 +70,7 @@ jobs:
           INDEX (created)
         );"
     - name: Setup Go environment
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
       with:
         go-version: 1.24.0
     - name: Test Cross-Language
@@ -92,7 +92,7 @@ jobs:
       matrix:
         arch: [ {tag: arm64v8, platform: linux/arm64/v8} ]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     - name: Setup Multi-Architecture Support
       run: scripts/setup-multiarch.sh
     - name: Test Multi-Architecture