refactor:[M3-7278] - SAST Scan Findings: Third party action not pinned to commit SHA

[bill-akamai]

Description 📝

This PR addresses security vulnerabilities identified by SAST scanning by pinning third-party GitHub Actions to specific commit SHAs instead of mutable references like @master or @v4.

Changes 🔄

• Pin pnpm/action-setup@v4 to commit SHA a7487c7e89a18df4991f7f222e4898a00d66ddda (v4.1.0)
• Pin rtCamp/action-slack-notify@master to commit SHA e31e87e03dd19038e411e38ae27cbad084a90661 (v2.3.3)
• Pin jakejarvis/s3-sync-action@master to commit SHA be0c4ab89158cac4278689ebedd8407dd5f35a83 (v0.5.1)
• Pin cypress-io/github-action@v6 to commit SHA b8ba51a856ba5f4c15cf39007636d4ab04f23e3c (v6.10.2)
• Pin oven-sh/setup-bun@v2 to commit SHA 735343b667d3e6f658f44d0eca948eb6282f2b76 (v2.0.2)
• Pin pnpm/action-setup@v2 to commit SHA eae0cfeb286e66ffb5155f1a79b90583a127a68b (v2.4.1)

Scope 🚢

Upon production release, changes in this PR will be visible to:

• All customers
• Some customers (e.g. in Beta or Limited Availability)
• No customers / Not applicable

Preview 📷

Before	After
Semgrep scan: 26 findings	Semgrep scan: 0 findings

Prerequisites

• Install semgrep if not already installed with pip install semgrep

Verification steps

• Ensure the semgrep Thrid Party Action Not Pinned to Commit test passed. In your terminal, run semgrep --config="r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha" - the output should say "Findings: 0 (0 blocking)".
• Not all jobs can be checked until this PR is merged to develop. For now, we can check these listed below.
  Ex: Click on the "ESLint Review (api-v4)" below and observe job is using the pinned SHA on the details page:
  • ci.yml - ci / test-manager
  • eslint_review.yml - ESLint Review / ESLint Review (api-v4) (pull_request)
  • coverage_badge.yml - No longer used, but if used in the future this would be observed at https://github.com/linode/manager/actions/workflows/coverage.yml

Post-merge we can check the security-scan job in GitHub Actions for security_scan.yml, example:
https://github.com/linode/manager/actions/runs/16785776661/job/47535731671

And we can check the build job for docs.yml, example:
https://github.com/linode/manager/actions/runs/16785776667/job/47535731564

Author Checklists

As an Author, to speed up the review process, I considered 🤔

👀 Doing a self review
❔ Our contribution guidelines
🤏 Splitting feature into small PRs
➕ Adding a changeset
🧪 Providing/improving test coverage
🔐 Removing all sensitive information from the code and PR description
🚩 Using a feature flag to protect the release
👣 Providing comprehensive reproduction steps
📑 Providing or updating our documentation
🕛 Scheduling a pair reviewing session
📱 Providing mobile support
♿ Providing accessibility support

• I have read and considered all applicable items listed above.

As an Author, before moving this PR from Draft to Open, I confirmed ✅

• All tests and CI checks are passing
• TypeScript compilation succeeded without errors
• Code passes all linting rules

[linode-gh-bot]

Cloud Manager UI test results

🔺 2 failing tests on test run #2 ↗︎

❌ Failing	✅ Passing	↪️ Skipped	🕐 Duration
2 Failing	703 Passing	4 Skipped	133m 36s

Details

Failing Tests
	Spec	Test
❌	restricted-user-details-pages.spec.ts	Cloud Manager Cypress Tests→restricted user details pages » should disable action elements and buttons in the 'Linodes' details page
❌	linode-storage.spec.ts	Cloud Manager Cypress Tests→linode storage tab » delete disk

Troubleshooting

Use this command to re-run the failing tests:

pnpm cy:run -s "cypress/e2e/core/account/restricted-user-details-pages.spec.ts,cypress/e2e/core/linodes/linode-storage.spec.ts"

[dwiley-akamai]

semgrep output locally ✅

Verification checks in CI ✅