Pin GitHub Actions to full commit SHAs

[Xeboc]

Pins all uses: references in workflow files and composite actions to full commit SHAs. This allows users with org-level or repo-level SHA enforcement policies to use this action without policy violations caused by unpinned downstream dependencies.

When a user's org enforces SHA pinning, using trunk-io/trunk-action at a pinned SHA still fails because the action's own internal uses: references are unpinned:

Download action repository 'trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b' (SHA:75699af9e26881e564e9d832ef7dc3af25ec031b)
Getting action download info
Error: The actions actions/checkout@v4, peter-evans/find-comment@v3, peter-evans/create-or-update-comment@v4,
actions/cache@v4, actions/upload-artifact@v4, and 1 other are not allowed in testing/ci-cd-testing
because all actions must be pinned to a full-length commit SHA.

Unpinned action references are also a supply chain risk, as a tag can be moved to point to a different commit at any time. The recent Trivy advisory is a good example of how this attack surface gets exploited in practice.

Also moves inline # external users, use: ... comments to separate lines above their uses: step, which fixes a parsing issue in pinact where the comment text was being misread as a repo path.

Renovate will upgrade these SHAs automatically when it runs.