fix(ci): pin GitHub Actions to SHA hashes to prevent supply chain attacks

[bhabalan]

This pull request addresses

All GitHub Actions in CI workflows reference mutable version tags (e.g. @v3, @main). If an upstream action is compromised and its tag force-pushed to a malicious commit, our CI pipelines would silently execute attacker-controlled code with access to repository secrets (NPM_TOKEN, WEBEX_CLIENT_SECRET, GITHUB_TOKEN, etc.).

This is the exact attack vector exploited in CVE-2026-33634 (Trivy ecosystem supply chain compromise, March 2026), where 76 of 77 version tags in aquasecurity/trivy-action were force-pushed to malicious commits containing an infostealer. The webex/pr-title-checker@main reference was the highest-risk entry since it tracked a mutable branch head.

by making the following changes

Pin all GitHub Actions references to immutable commit SHA hashes across all 4 workflow files. Original version tags are preserved as inline comments for readability.

Action	Version	SHA
actions/checkout	v3	f43a0e5ff2bd294095638e18286ca9a3d1956744
actions/setup-node	v3.7.0	e33196f7422957bea03ed53f6fbb155025ffc7b8
actions/cache	v3	6f8efc29b200d32929f49075959781ed54ec270c
actions/github-script	v7	f28e40c7f34bde8b3046d885e986cb6290c5673b
webex/pr-title-checker	main	e914bff8ab5e6f1a6a270da6954cd6bfd1d7f1fb

Change Type

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Tooling change
• Internal code refactor

The following scenarios were tested

• Verified all uses: references in workflow YAML files resolve to valid commit SHAs via GitHub API
• Confirmed no unpinned action references remain (grep for @v and @main patterns returns zero matches)
• No functional changes — only the uses: reference format changed from tag to SHA

The GAI Coding Policy And Copyright Annotation Best Practices

• GAI was not used (or, no additional notation is required)
• Code was generated entirely by GAI
• GAI was used to create a draft that was subsequently customized or modified
• Coder created a draft manually that was non-substantively modified by GAI (e.g., refactoring was performed by GAI on manually written code)
• Tool used for AI assistance (GitHub Copilot / Other - specify)
  • Github Copilot
  • Other - Claude Code
• This PR is related to
  • Feature
  • Defect fix
  • Tech Debt
  • Automation

I certified that

• I have read and followed contributing guidelines
• I discussed changes with code owners prior to submitting this pull request
• I have not skipped any automated checks
• All existing and new tests passed
• I have updated the documentation accordingly

---

Make sure to have followed the contributing guidelines before submitting.

[aws-amplify-us-east-2]

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-4840.d3m3l2kee0btzx.amplifyapp.com