ci: pin github action with full-length commit hash

[ostk0069]

In order to enable Require actions to be pinned to a full-length commit SHA setting, this diff is necessary.

• Pin GitHub Actions to full-length commit hashes instead of version tags for improved security and reproducibility
• Updated actions in init-pants/action.yaml and pyenv/action.yml:
  • actions/cache@v4 → actions/cache@0057852
  • actions/github-script@v7 → actions/github-script@ed59741 (v8)
  • actions/setup-python@v5 → actions/setup-python@83679a8 (v6)

[ostk0069]

@jsirois Could you please review this?

[jsirois]

@ostk0069 I am no longer a committer in this org; so I'm not sure if sha pinning is what is desired. You probably want @benjyw , @sureshjoshi or @tdyas to take a look.

[ostk0069]

@sureshjoshi I need your review, please.

[sureshjoshi]

Thanks for the PR @ostk0069.

We haven't yet agreed to require SHA pinning (something we'd likely roll out across all repos together).

At the moment, the approach I tend to take is to pin major (or major.minor) versions of the platform provider (i.e. GitHub), and then SHA pin basically everyone else.

That meets a reasonable security risk-reward tolerance (to me, anyways).

However, this PR did point out that we don't have Dependabot running here to handle these upgrade reminders, so I went ahead and opened #41.

Thanks for the reminder.