chore: Pin third-party GitHub Actions to commit SHAs

[arpitjain099]

Describe the issue this Pull Request addresses

Pins third-party GitHub Actions that were referenced by mutable tags to full commit SHAs in the affected workflow(s).

Summary and Changelog

A mutable tag can be repointed by the upstream owner, or by an attacker who compromises the action's repository, to arbitrary code that then runs in CI with the workflow's token and secrets. That is the failure mode behind CVE-2025-30066 (the tj-actions/changed-files compromise). Pinning to an immutable commit SHA makes the referenced code deterministic. GitHub-maintained actions/* were left on their existing refs.

Impact

CI/build hardening only. No public API, runtime behavior, or user-facing change. Each pinned SHA corresponds to the same release the tag pointed to, so workflow behavior is unchanged.

Risk Level

none

Documentation Update

N/A

Contributor's checklist

• Read through contributor's guide
• Enough context is provided in the sections above
• Adequate tests were added if applicable

[hudi-agent]

🤖 This review was generated by an AI agent and may contain mistakes. Please verify any suggestions before applying.

No reviewable code files in this PR.

cc @yihua

[hudi-bot]

CI report:

• c7b7bf7 Azure: SUCCESS

Bot commands

@hudi-bot supports the following commands:

• @hudi-bot run azure re-run the last Azure build

[yihua]

LGTM. @arpitjain099 Thanks for the fix! Could you fix the PR title and description to be compliant?

[arpitjain099]

Thanks @yihua! Updated the title to the [MINOR] convention and filled in the Change Logs / Impact / Risk level (none) / Documentation Update sections per the template. Let me know if you'd like any further tweaks.