chore(ci): Pin GitHub Actions to specific commit SHAs

[finxo]

Summary

Update GitHub Actions workflows to pin actions to specific commit SHAs instead of version tags (e.g., @v1) for improved security. This change mitigates the risk of tag mutability, where a tag could be updated to point to a malicious commit.

Description

As a security best practice, third-party GitHub Actions should be pinned to a full-length commit SHA. This ensures that the exact version of the action's code is executed every time, preventing unexpected or malicious changes that could be introduced if a version tag is moved.

This issue tracks the work to update the following actions:

• snok/install-poetry@v1
• softprops/action-gh-release@v1

Objectives

• Improve the security posture of the CI/CD pipeline.
• Mitigate risks associated with mutable version tags in GitHub Actions.
• Align with security best practices for software supply chain security.

Category

CI/CD configuration

Tasks

• Identify the latest stable commit SHA for snok/install-poetry corresponding to the v1 tag.
• Identify the latest stable commit SHA for softprops/action-gh-release corresponding to the v1 tag.
• Update all relevant workflow files to replace the version tags with the identified commit SHAs.
• Verify that the CI pipeline continues to execute successfully after the changes.

Considerations

This change improves security but introduces a maintenance overhead. Updating actions in the future will require manually finding and replacing the commit SHAs, rather than relying on automatic updates from version tags like @v1.

Configuration Changes

# Before (easier to maintain)
- uses: snok/install-poetry@v1

# After (more secure)
- uses: snok/install-poetry@93ada01c735cc8a383ce0ce3526e41afec15c0d3 # v1.4.1