ci: pin actions in credential-bearing release workflows

[Rahuwale123]

Link to Issue or Description of Change

No existing issue.

Problem:

Several release and release-adjacent workflows that receive publishing tokens,
repository PATs, cloud/API credentials, or an SSH key reference GitHub Actions
through mutable version tags. A moved or compromised tag could change the code
executed by those credential-bearing jobs without a corresponding change in
this repository.

Solution:

Pin all 19 Action references in the eight credential-bearing release workflows
to their currently resolved immutable commit SHAs. Version-tag comments remain
beside each SHA for readability and maintainability.

The scope is intentionally limited to these credential-bearing release
workflows. The approximately 31 other unpinned Action references reported
elsewhere in the repository are outside this focused PR. No workflow behavior,
trigger, permission, application code, or release logic changes.

Testing Plan

Automated validation:

• git diff --check passed.
• All eight modified workflow files parsed successfully as YAML.
• Every pinned commit was verified through the GitHub API to contain its
  expected action.yml (restore/action.yml and save/action.yml for the
  cache sub-actions).
• Zizmor was run against the identical eight-file set before and after:
  • Before: 19 unpinned-uses findings.
  • After: 0 unpinned-uses findings.

Unit Tests:

• Not applicable: this change only replaces mutable Action tags with the
  corresponding immutable SHAs and does not modify runtime code.

Manual End-to-End (E2E) Tests:

• Not run: executing these workflows would perform privileged release or
  release-adjacent operations. The referenced Action definitions and workflow
  syntax were validated without triggering a release.

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• Version comments are included beside each immutable SHA.
• Validation demonstrates that the focused Zizmor findings are resolved.
• New and existing unit tests pass locally with my changes (not applicable; no runtime code changed).
• I have manually tested my changes end-to-end (not run; would trigger privileged release operations).
• No dependent downstream changes are required.

Additional context

This PR deliberately avoids bundling a repository-wide Zizmor policy or
unrelated workflow hardening so the change remains small and reviewable.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.