CLOUD-410 ktlo: pin GitHub actions to commit SHAs

[desouradeep]

Action required from the owning team: please review and merge this PR. It was opened as part of an org-wide rollout for CLOUD-410; the Cloud team is not merging on your behalf.

This is a cross-repo PR from a fork in my personal account (desouradeep/…) because I lack direct push access to this repo. The branch and commits are on the fork; the diff is the same as the 200+ other CLOUD-410 PRs across the org.

Summary

Pins all external GitHub Actions in this repo from mutable tags (e.g. @v4) to immutable commit SHAs, and ensures dependabot is configured to keep them updated.

Improves supply-chain security per CLOUD-410. Each pinned line keeps the original tag as a trailing comment for readability.

• Jimdo-owned actions (Jimdo/…) are intentionally not pinned (out of scope per the ticket).
• Local actions (./...) are untouched.
• Dependabot is configured (or updated) to track github-actions monthly, on the 1st of each month, at an hour staggered between 09:00–15:00 Europe/Berlin (one fixed hour per repo). A 3-day cooldown filters out brand-new releases.

Test plan

• CI passes
• No unintended changes outside .github/

[MorrisJobke]

CI/CD is broken for the repo, because it isn't actively maintained anymore. But let's pin the versions for now.