chore: Pin third-party GitHub Actions to full commit SHAs

[devin-ai-integration]

Description

Pin all third-party GitHub Actions to full commit SHAs, hardening the CI supply chain against compromised mutable version tags.

Each pinned reference includes a trailing version comment for readability (e.g. actions/checkout@<sha> # v4).

Checklist

• I have run npm run lint, npm run typecheck, npm run build, and npm test locally.
• I have updated the README or other docs if behavior changed.
• I have added or updated tests if appropriate.

N/A — this PR only modifies .github/workflows/ files (no application code changes).

Closes https://linear.app/workos/issue/SECENG-294

Link to Devin session: https://app.devin.ai/sessions/add87be2227046f198fbac38a32e5358

[devin-ai-integration]

Original prompt from will.porter

'Pin all third-party Github Actions for Public SDKs' (SECENG-294)

User instruction: @devin can you look at the workos organization in github, and report back all of the public repositories that are not archived, and whether or not if they use any github workflows?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear-code]

SECENG-294 Pin all third-party Github Actions for Public SDKs

[devin-ai-integration]

Third-Party Action SHA Age Report

Action	Pinned Version	Full SHA	Commit Date	Age (days)	Status
actions/checkout	v6	de0fac2e4500dabe0009e67214ff5f5447ce83dd	2026-01-09	109	✅ OK
actions/setup-node	v6	48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e	2026-04-20	9	✅ OK