Description

Currently, our GitHub Actions workflows reference actions using major-only tags (e.g., actions/checkout@v4). This allows for automatic minor and patch updates, which can introduce breaking changes or security risks without visibility.

To improve security, reproducibility, and compatibility with Dependabot, we should pin all actions to fully qualified versions (e.g., and actions/checkout@v4.2.2).

Proposed Solution

Update all workflow files to replace loose version tags (e.g., @v4) with fully pinned semantic versions (e.g., @v4.2.2). This ensures:

• Builds remain stable over time.
• Changes to action versions are explicit and reviewable (via Dependabot).
• The CI system is less prone to unexpected behavior.

## Suggested Implementation

Before

- uses: actions/checkout@v4

After

- uses: actions/checkout@v4.2.2

You can get the latest versions from https://github.com/marketplace?type=actions

Acceptance Criteria

• All GitHub Actions in workflow YAML files are pinned to specific versions (e.g., @vX.Y.Z).
• Workflows pass successfully after changes.
• Dependabot is already configured to detect updates to actions.