chore(sec): pin github deps to shas (#1444)

## Launch Checklist

Our CI uses a few actions.
For these actions, we currently just use the mutable GitHub tag.

Since we use Dependabot to update the versions, we should use SHAs.
This makes sure that we are not affected by a certain class of supply
chain vulnerability where attackers re-publish bad tags.

Using SHAs matches GitHub recommendations and is a part of the OpenSSFs
Scorecard.


- [x] Confirm **your changes do not include backports from Mapbox
projects** (unless with compliant license) - if you are not sure about
this, please ask!
 - [ ] Add an entry to `CHANGELOG.md` under the `## main` section.
^--- not sure if you want this. Other maintenance actions don't show up
as well.

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      uses: github/codeql-action/autobuild@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@e296a935590eb16afc0c0108289f68c87e2a89a5 # v4.30.7