chore: pin GitHub Actions to SHA for supply chain security

Pin all external GitHub Actions to specific commit SHAs.

Changes:
- actions/checkout@v4 → pinned to SHA
- actions/setup-go@v5 → pinned to SHA

Co-authored-by: Ona <no-reply@ona.com>

Author: jespino

.github/workflows/ci.yml

@@ -20,10 +20,10 @@ jobs:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: ./go.mod
 
@@ -35,10 +35,10 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/gitpod-go' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version-file: ./go.mod