ci: pin third-party GitHub Actions to commit SHAs

Round-2 audit fix. Pins all unpinned third-party action 'uses:' to
their current commit SHAs so a force-push or retag of an upstream
ref can't substitute attacker code at install time. Tag annotations
preserved as trailing comments so future bumps stay traceable.

Same pattern shipped at XRPLF/xrpl-rust#304.

Author: satyakwok

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v6
+        uses: pnpm/action-setup@739bfe42ca924aa46f50ef27aff1c97d09b2d24d # v6
         with:
           version: 10.33.0
           run_install: false

.github/workflows/codeql.yml

@@ -23,9 +23,9 @@ jobs:
         language: ['javascript-typescript']
     steps:
       - uses: actions/checkout@v5
-      - uses: github/codeql-action/init@v3
+      - uses: github/codeql-action/init@7fd177fa680c19180e54b0d8d72d6b4ca37aaecb # v3
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@7fd177fa680c19180e54b0d8d72d6b4ca37aaecb # v3
         with:
           category: '/language:${{ matrix.language }}'