VLN-1493: remediate unpinned-github-actions

[picatz]

🏕️ This pull request was created by camper, an automated security campaign tool.

Finding

Rule	unpinned-github-actions
Severity	MEDIUM
Repository	temporalio/roadrunner-temporal
Ticket	VLN-1493

Summary

🤠 Deputy pinned dependencies to immutable references.

• Total refs: 16
• Pinned refs: 16

Changed references:

• github/codeql-action/autobuild: v4 -> 8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
• github/codeql-action/analyze: v4 -> 8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
• actions/checkout: v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
• actions/setup-go: v6 -> 4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
• github/codeql-action/init: v4 -> 8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
• golangci/golangci-lint-action: v9 -> 82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
• actions/checkout: v6 -> df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
• actions/setup-go: v6 -> 4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
• actions/upload-artifact: v7 -> 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
• actions/download-artifact: v8 -> 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
• +6 more

Instructions

• Approve to merge this fix
• Request changes to trigger a new remediation attempt
• /camper rebase — rebase onto the base branch
• /camper close — close this PR without merging
• /camper retry — close and retry with a new fix

[semgrep-managed-scans]

Semgrep found 2 missing-explicit-permissions findings:

• .github/workflows/linters.yml
  • L7-22 - Triage
• .github/workflows/codeql-analysis.yml
  • L19-71 - Triage

No explicit GITHUB_TOKEN permissions found at the workflow or job level. Add a permissions: block at the workflow root (applies to all jobs) or per job with least privilege (e.g., contents: read and only specific writes like pull-requests: write if needed).

[rustatian]

Thank you @picatz 👍🏻