GH-49727: [CI] Pin GitHub Actions to commit SHAs instead of tags

[thisisnic]

Rationale for this change

GHA pinned to tags (movable) not SHAs (unique)

What changes are included in this PR?

Ping to SHAs

Are these changes tested?

CI will run

Are there any user-facing changes?

No

• GitHub Issue: [CI] Pin GitHub Actions to commit SHAs instead of tags #49727

[github-actions]

⚠️ GitHub issue #49727 has been automatically assigned in GitHub to PR creator.

[thisisnic]

I believe that these failures are expected:

• "Verify RC..." - because there's no active RC staged right now
• CUDA - [Python][C++][GPU] Python Cuda jobs fail with 'cuda.bindings.driver.CUcontext' object has no attribute 'value' #49437
• RHub GCC 13 with LTO - failing on main - [R][CI] Disable Rhub GCC 12 and GCC 13 with LTO jobs — images no longer match CRAN #49737

[raulcd]

We did stop pinning hash specifically for those due to the policy not requiring pinning sha for non external actions, see:
#48327

@kou what are your thoughts on this?

@kevinjqliu do you have any insight on whether this should specify hash or not? I see that iceberg-python move to specify a hash (apache/iceberg-python#3194)
but based on policy: https://infra.apache.org/github-actions-policy.html the actions/checkout is not strictly required.

I don't want to merge this and remove it in 6 months, I'd rather push for a change of policy and require pinning for all.

[kou]

We did stop pinning hash specifically for those due to the policy not requiring pinning sha for non external actions, see: #48327

@kou what are your thoughts on this?

I want to use @vX for actions/* because the ASF GitHub Actions policy allows it. (See also the PR #48327 description.)

But we need to pin SHA for other actions such as msys2/* and r-lib/*.

How about pinning only other actions?