[SECOPS-2289] pin all GitHub Actions to full commit SHAs for supply-chain security #sec

[nicolas-gagnon]

Summary

Pins all GitHub Actions in workflows to full 40-character commit SHAs instead of version tags, and uses the internal figment-github-actions reusable pre-commit workflow (also pinned by SHA).

Motivation

• Improves supply-chain security by using immutable refs.
• Aligns with GitHub’s recommendation and policy for SHA pinning.
• Reduces risk of tag mutability or compromised tags.
• Centralizes pre-commit logic in org-standard figment-github-actions.

Changes

Pre-commit workflow

• Replaced inline steps with internal reusable workflow: figment-networks/figment-github-actions/.github/workflows/pre-commit.yaml@89b46e3bd29417a8c1a9129f0a200f63bf98b7e2
• That workflow already uses pinned actions (checkout, setup-python, changed-files, pre-commit/action, upload-artifact).

Other workflows (inline pins)

• actions/checkout @v5 → 08c6903cd8c0fde910a37f88322edcfb5dd907a8
• actions/setup-python @v6 → e797f83bcb11b83ae66e0230d6156d7c80228e7c

Files updated

• .github/workflows/pre-commit.yaml (now calls internal reusable workflow with SHA pin)
• .github/workflows/role-btrfs.yaml
• .github/workflows/role-format.yaml
• .github/workflows/role-lvg.yaml
• .github/workflows/role-mdadm.yaml
• .github/workflows/role-zfs_pool.yaml
• .github/workflows/role-zfs_setup.yaml