ci: pin all GH actions to SHA's

[brbrr]

To reduce changes of supply chain attacks, it's a good practice to pin GH Action versions to commit SHA, not a tag version. Dependabot is capable of updating these.

This PR updates all the occurrences where we still use versions directly.

The SHA's were produced via a simple script:

resolve() {
        local repo=$1 ref=$2 kind=$3
        local out
        if [ "$kind" = "tag" ]; then
          out=$(gh api "repos/$repo/git/ref/tags/$ref" 2>/dev/null)
        else
          out=$(gh api "repos/$repo/git/ref/heads/$ref" 2>/dev/null)
        fi
        local sha=$(echo "$out" | jq -r '.object.sha')
        local type=$(echo "$out" | jq -r '.object.type')
        if [ "$type" = "tag" ]; then
          sha=$(gh api "repos/$repo/git/tags/$sha" 2>/dev/null | jq -r '.object.sha')
        fi
        echo "$repo@$ref -> $sha"
      }

[Copilot]

Pull request overview

Pins GitHub Actions used across CI workflows to immutable commit SHAs (instead of moving tags) to reduce supply-chain risk and make Dependabot updates explicit/auditable.

Changes:

• Replaced uses: <action>@<tag> with uses: <action>@<sha> # <tag> across workflow files.
• Pinned tooling/setup actions for Rust, Go, Node, Docker, Codecov, stale bot, artifact upload/download, etc.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/starknet-rust-tests.yml	Pins actions/checkout and Rust toolchain action to SHAs for starknet-rust integration tests.
.github/workflows/starknet-rs-tests.yml	Pins actions/checkout and Rust toolchain action to SHAs for starknet-rs integration tests.
.github/workflows/starknet-js-tests.yml	Pins actions/checkout and actions/setup-node to SHAs for starknet.js integration tests.
.github/workflows/starknet-go-tests.yml	Pins actions/checkout and actions/setup-go to SHAs for starknet.go integration tests.
.github/workflows/smoke-test.yaml	Pins app-token creation and checkout actions to SHAs for smoke tests workflow.
.github/workflows/rust-lint.yml	Pins checkout/toolchain/cache actions to SHAs for Rust linting workflow.
.github/workflows/release-published.yml	Pins Docker Buildx setup action to a SHA for release publication automation.
.github/workflows/prepare-draft-release.yml	Pins checkout, Buildx, and artifact download actions to SHAs for release preparation.
.github/workflows/juno-test.yml	Pins checkout, Go/Rust setup, cache, and Codecov upload actions to SHAs for main test workflow.
.github/workflows/juno-lint.yml	Pins checkout, Go setup, and golangci-lint action to SHAs.
.github/workflows/find-smallest-rust.yml	Pins checkout, MSRV detection, and github-script actions to SHAs.
.github/workflows/docs-test.yml	Pins checkout and Node setup actions to SHAs for docs build test.
.github/workflows/docs-deploy.yml	Pins checkout, Node setup, and gh-pages deploy action to SHAs.
.github/workflows/docker-image-build-push.yml	Pins checkout, Buildx, build/push actions to SHAs for image build/publish workflow.
.github/workflows/deploy-and-test.yaml	Pins checkout action to SHA in deploy/test pipeline (plus related pinned actions already present).
.github/workflows/close-stale.yml	Pins stale-action to a SHA for stale issue/PR automation.
.github/workflows/build-image.yaml	Pins checkout action to SHA for internal image build workflow.
.github/workflows/build-binaries.yml	Pins checkout, Go/Rust setup, cache, and artifact upload actions to SHAs.
.github/workflows/benchmark-sync.yaml	Pins checkout action to SHA for benchmark sync workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.94%. Comparing base (ee24986) to head (a3ee227).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3623      +/-   ##
==========================================
- Coverage   77.20%   75.94%   -1.26%     
==========================================
  Files         387      387              
  Lines       34917    34917              
==========================================
- Hits        26956    26517     -439     
- Misses       6017     6539     +522     
+ Partials     1944     1861      -83     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.