chore: pin third-party GitHub Actions to commit SHAs

[mahangu]

Pins third-party GitHub Actions in this repo to immutable commit SHAs.

This is a draft PR for review before merging. It was prepared with agent assistance and manually verified.

Tracking: DEVPROD-1072

Repo-level summary:

• Pinned distinct third-party action refs in this PR: 2
• Repo-level unpinned usage count from the trunk recheck: 4
• Dependabot GitHub Actions coverage: already_present (.github/dependabot.yml)

Verification commands:

# ramsey/composer-install # 3.1.1 -> 3cf229dc2919194e9e36783941438d17239e8520
gh api repos/ramsey/composer-install/commits/3.1.1 --jq '.sha'
# expected: 3cf229dc2919194e9e36783941438d17239e8520

# shivammathur/setup-php # 2.37.1 -> 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc
gh api repos/shivammathur/setup-php/commits/2.37.1 --jq '.sha'
# expected: 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/ramsey/composer-install	3cf229dc2919194e9e36783941438d17239e8520	🟢 4.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 12 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 5/24 approved changesets -- score normalized to 2 Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/shivammathur/setup-php	7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc	🟢 7.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/22 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/phpcs.yaml