Pin-down external GHA to SHA refs to protect against compromise

[yfyf]

Been meaning to do this, but this was the final trigger: https://socket.dev/blog/bitwarden-cli-compromised

Doing this for e.g. actions/checkout might be overkill, but I think it is more hygienic if it is identical for all uses:

[yfyf]

Whoops, short SHA's don't work, need to fix.

[knuton]

Confirmed that the original refs resolve to those commits with an ad hoc AI-gen bash script:

#!/bin/bash

# Check if an argument was provided
if [ -z "$1" ]; then
  echo "Usage: $0 <user/repo@sha>"
  echo "Example: $0 torvalds/linux@1bd9238"
  exit 1
fi

# Check if jq is installed
if ! command -v jq &> /dev/null; then
  echo "Error: 'jq' is required but not installed. Please install it (e.g., apt install jq, brew install jq)."
  exit 1
fi

# Parse the input format (user/repo@sha)
# IFS (Internal Field Separator) splits the string at '/' and '@'
IFS='@/' read -r user repo sha <<< "$1"

if [ -z "$user" ] || [ -z "$repo" ] || [ -z "$sha" ]; then
  echo "Error: Invalid format. Please use user/repo@sha"
  exit 1
fi

echo "Fetching commit info for $user/$repo at $sha..."
echo "--------------------------------------------------"

# Fetch data from GitHub API
response=$(curl -s -H "Accept: application/vnd.github.v3+json" \
  "https://api.github.com/repos/$user/$repo/commits/$sha")

# Check if the API returned a "Not Found" message
message=$(echo "$response" | jq -r '.message // empty')
if [ "$message" = "Not Found" ]; then
  echo "Error: Commit or repository not found."
  exit 1
fi

# Extract and print relevant information using jq
echo "$response" | jq -r '
  "Author:  " + .commit.author.name + " <" + .commit.author.email + ">",
  "Date:    " + .commit.author.date,
  "URL:     " + .html_url,
  "--------------------------------------------------\n" +
  .commit.message
'