chore(OP-2780): pin GitHub Actions to commit SHA

[zonorti]

Action required: merge before ~April 20

Platform Engineering is enabling the GitHub org policy "Require actions to be pinned to a full-length commit SHA" (week 17). Once active, any workflow that references an action by version tag (e.g. @v4) will be blocked from running.

This PR pins all actions in this repo to their full commit SHA so workflows keep running after the policy is enforced.

Please merge this PR before week 17 (April 20). If you have questions, reach out in #support-platform-engineering or see OP-2780.

[Copilot]

Pull request overview

This PR updates the repository’s GitHub Actions workflows to comply with the upcoming org policy requiring third-party actions to be pinned to full-length commit SHAs, ensuring CI/CD continues to run once the policy is enforced.

Changes:

• Pinned core GitHub actions (checkout, setup-node, upload/download-artifact) to full commit SHAs.
• Pinned third-party actions (Codecov, SonarQube, gh-pages, Ketryx, CodeQL) to full commit SHAs.
• Added version annotations alongside pinned SHAs for traceability.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ci-cd.yml	Pins all referenced actions in CI/CD, docs deploy, and release jobs to commit SHAs.
.github/workflows/_report-to-ketryx.yml	Pins artifact download and Ketryx reporting actions to commit SHAs.
.github/workflows/_codeql.yml	Pins checkout/setup-node and CodeQL init/analyze actions to commit SHAs.

[Copilot]

In this workflow, the pinned actions/checkout line is annotated as # v4, while other workflows pin the same SHA with a full semver (e.g. # v4.3.1). For consistency and easier auditing/updates, consider using the same semver comment here as well (and avoid leaving any example uses: ...@vX snippets in comments, since they can be confusing in a repo that requires SHA pinning).

Suggested change

	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main      #66   +/-   ##
=======================================
  Coverage   96.38%   96.38%           
=======================================
  Files          13       13           
  Lines        1301     1301           
  Branches      191      189    -2     
=======================================
  Hits         1254     1254           
  Misses         47       47           

Flag	Coverage Δ
unittests	96.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.