CI: Hash-pin all actions

[woodruffw]

(Sorry for using a blank issue for this! None of the other templates seemed exactly right.)

I'm proposing that CPython's CI switch to fully-hash-pinned GitHub Actions references. This is enforced by default via zizmor, but currently CPython's configuration relaxes that default here:

cpython/.github/zizmor.yml

Line 10 in 17070f4

"*": ref-pin

Doing so should be a non-breaking change: the versions resolved will be the same as before, and tools like Dependabot/Renovate/pinact will continue to be able to update any action references, including their hashes.

Ref: https://docs.zizmor.sh/audits/#unpinned-uses

CC @sethmlarson

Linked PRs

• gh-146488: hash-pin all action references #146489
• gh-146488: hash-pin check-html-ids action references #147968
• gh-145000: Find correct merge base in reusable-check-html-ids.yml workflow #147975
• [3.10] gh-146488: hash-pin all action references (gh-146489) #147978
• [3.11] gh-146488: hash-pin all action references (gh-146489) #147979
• [3.12] gh-146488: hash-pin all action references (gh-146489) #147980
• [3.13] gh-146488: hash-pin all action references (gh-146489) #147981
• [3.14] gh-146488: hash-pin all action references (GH-146489) #147982
• [3.14] gh-146488: hash-pin all action references (gh-146489) #147983

[woodruffw]

Backporting this to 3.10-14 is going to be gnarly, so I'm going to manually do the equivalent. Tracking:

• 3.10: [3.10] gh-146488: hash-pin all action references (gh-146489) #147978
• 3.11: [3.11] gh-146488: hash-pin all action references (gh-146489) #147979
• 3.12: [3.12] gh-146488: hash-pin all action references (gh-146489) #147980
• 3.13: [3.13] gh-146488: hash-pin all action references (gh-146489) #147981
• 3.14: [3.14] gh-146488: hash-pin all action references (gh-146489) #147983