build: SHA-pin GitHub Actions for supply-chain security

Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola <jimisola@jimisola.com>

Author: Jimisola Laursen

.github/workflows/check-semantic-pr.yml

@@ -5,4 +5,4 @@ on:
 
 jobs:
   check:
-    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
+    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07

.github/workflows/publish_pypi_prod.yml

@@ -31,6 +31,6 @@ jobs:
           path: dist
       - name: Publish distribution 📦 to PyPI
         # if: startsWith(github.ref, 'refs/tags')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           sign-artifacts: true

.github/workflows/publish_pypi_test.yml

@@ -28,7 +28,7 @@ jobs:
           name: dist
           path: dist
       - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           repository-url: https://test.pypi.org/legacy/
           sign-artifacts: true