Pin GitHub Actions to commit SHAs

[Divyaasm]

Description

Pin all GitHub Action tag references to their corresponding commit SHAs.

Tags are mutable references that can be force-pushed to point to different commits, making them vulnerable to supply chain attacks. Commit SHAs are immutable and guarantee that the exact reviewed code is executed in CI workflows. This change pins all third-party actions to their current commit SHAs to prevent potential tampering.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 9836d84.

Path	Line	Severity	Description
.github/workflows/backport.yml	19	high	Dependency change: tibdex/github-app-token switched from tag v1.5.0 to commit hash. Handles GitHub App private keys and emits tokens — verify commit resolves to expected release.
.github/workflows/backport.yml	26	high	Dependency change: VachaShah/backport switched from tag v2.2.0 to commit hash. Third-party action with repo write access — verify commit authenticity.
.github/workflows/enforce-labels.yml	8	high	Dependency change: yogevbd/enforce-label-action switched from tag 2.1.0 to commit hash. Personal-namespace third-party action — verify commit resolves to expected release.
.github/workflows/link-checker.yml	17	high	Dependency change: lycheeverse/lychee-action switched from floating 'master' to commit hash. Verify the pinned commit corresponds to intended functionality.
.github/workflows/draft-release-notes-workflow.yml	16	high	Dependency change: release-drafter/release-drafter switched from tag v5 to commit hash. Has contents:write permission — verify commit identity against official release.
.github/workflows/maven-publish.yml	29	high	Dependency change: 1password/load-secrets-action switched from tag v2 to commit hash. Exports secrets as env vars — verify commit matches official 1Password release.
.github/workflows/maven-publish.yml	35	high	Dependency change: aws-actions/configure-aws-credentials switched from tag v5 to commit hash. Assumes AWS IAM roles — compromise would grant cloud access. Verify commit.
.github/workflows/sql-test-and-build-workflow.yml	70	high	Dependency change: codecov/codecov-action switched from tag v4 to commit hash. Codecov has been a prior supply chain attack target — verify commit against official release.
.github/workflows/stalled.yml	13	high	Dependency change: tibdex/github-app-token switched from tag v2.1.0 to commit hash. Handles GitHub App private keys — verify commit resolves to expected release.
.github/workflows/publish-async-query-core.yml	44	high	Dependency change: 1password/load-secrets-action switched from tag v2 to commit hash. Exports secrets as env vars in a publish workflow — verify commit matches official release.

The table above displays the top 10 most important findings.

Total: 18 | Critical: 0 | High: 18 | Medium: 0 | Low: 0

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.