[repo] GitHub Actions hardening

[Kielek]

Changes

Preventing problems similar to https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
In the auto-instrumentation repository we have such configuration for a while.

Scripts doing most of the job https://github.com/mheap/pin-github-action

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• [ ] Unit tests added/updated
• [ ] Appropriate CHANGELOG.md files updated for non-trivial changes
• [ ] Changes in public API reviewed (if applicable)

[Kielek]

@alanwest, @rajkumar-rangaraj, if you are fine I can prepare similar PR for main repo.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.79%. Comparing base (71655ce) to head (4160869).
Report is 785 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2671      +/-   ##
==========================================
- Coverage   73.91%   68.79%   -5.12%     
==========================================
  Files         267      389     +122     
  Lines        9615    15522    +5907     
==========================================
+ Hits         7107    10679    +3572     
- Misses       2508     4843    +2335     

Flag	Coverage Δ
unittests-Contrib.Shared.Tests	83.52% <ø> (?)
unittests-Exporter.Geneva	49.30% <ø> (?)
unittests-Exporter.InfluxDB	95.14% <ø> (?)
unittests-Exporter.Instana	74.86% <ø> (?)
unittests-Exporter.OneCollector	94.60% <ø> (?)
unittests-Exporter.Stackdriver	79.26% <ø> (?)
unittests-Extensions	90.65% <ø> (?)
unittests-Extensions.Enrichment	100.00% <ø> (?)
unittests-Instrumentation.AWS	86.74% <ø> (?)
unittests-Instrumentation.AspNet	76.79% <ø> (?)
unittests-Instrumentation.AspNetCore	70.32% <ø> (?)
unittests-Instrumentation.ConfluentKafka	14.10% <ø> (?)
unittests-Instrumentation.ElasticsearchClient	80.12% <ø> (?)
unittests-Instrumentation.EntityFrameworkCore	57.06% <ø> (?)
unittests-Instrumentation.EventCounters	76.36% <ø> (?)
unittests-Instrumentation.GrpcCore	91.42% <ø> (?)
unittests-Instrumentation.GrpcNetClient	79.61% <ø> (?)
unittests-Instrumentation.Hangfire	93.58% <ø> (?)
unittests-Instrumentation.Http	74.09% <ø> (?)
unittests-Instrumentation.Owin	88.41% <ø> (?)
unittests-Instrumentation.Process	100.00% <ø> (?)
unittests-Instrumentation.Quartz	78.76% <ø> (?)
unittests-Instrumentation.Runtime	100.00% <ø> (?)
unittests-Instrumentation.ServiceFabricRemoting	34.54% <ø> (?)
unittests-Instrumentation.SqlClient	88.43% <ø> (?)
unittests-Instrumentation.StackExchangeRedis	71.63% <ø> (?)
unittests-Instrumentation.Wcf	78.57% <ø> (?)
unittests-PersistentStorage	65.55% <ø> (?)
unittests-Resources.AWS	75.08% <ø> (?)
unittests-Resources.Azure	84.56% <ø> (?)
unittests-Resources.Container	67.34% <ø> (?)
unittests-Resources.Gcp	71.15% <ø> (?)
unittests-Resources.Host	73.91% <ø> (?)
unittests-Resources.OperatingSystem	76.98% <ø> (?)
unittests-Resources.Process	100.00% <ø> (?)
unittests-Resources.ProcessRuntime	78.26% <ø> (?)
unittests-Sampler.AWS	88.25% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 395 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rajkumar-rangaraj]

@alanwest, @rajkumar-rangaraj, if you are fine I can prepare similar PR for main repo.

Thanks @Kielek, I'm fine adding similar changes to main repo.