fix(vuln): pin and bump action refs (SEC-171)

[aris1009]

What

Deterministic remediation of four zizmor audit rules:

• known-vulnerable-actions — bumps vulnerable refs to the GHSA advisory's first_patched_version, re-pins to SHA, syncs the version comment.
• unpinned-uses — rewrites @tag refs to @<sha> # <tag>.
• ref-version-mismatch — rewrites the trailing comment to match the tag the pinned SHA actually points at.
• impostor-commit — replaces the impostor SHA with the correct SHA for the tag.

All edits are SHA-pinned ref rewrites plus comment synchronisation. No workflow logic, step ordering, permissions, or non-.github/ files are touched.

How

1. zizmor --fix=all run under a restricted config (sec-scan/sec-ops/sec-171-action-refs/zizmor.yml) that disables every other audit.
2. A Python post-processor (postprocess.py) repairs any line where zizmor's auto-fix left the ref unpinned — an observed failure mode on certain impostor-commit cases. The post-processor resolves the tag → SHA via gh api and rewrites the line.
3. Two sanity guards run before commit:
   • git diff --name-only must only contain paths under .github/.
   • Every added uses: line must match owner/repo@<40-hex-sha>.

⚠️ Merge blocker — SHA allowlist

Do NOT merge this PR until the new SHAs have been added to the org-level GitHub action allowlist. The rudderlabs org enforces a by-SHA allowlist on all uses: references (supply-chain guard). Every SHA introduced by this PR is captured in /tmp/sec-171-sha-manifest.txt on the machine that produced the sweep; the allowlist will be updated by @aris1009 before merge coordination.

Ticket

Closes part of SEC-171 — parent epic SEC-162.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.