fix(ci): pin GitHub Actions to full-length commit SHAs

Pin all GitHub Actions to full-length commit SHAs to comply with
Kubernetes organization security policy that requires all actions
must be pinned to prevent supply chain attacks.

This change addresses the CI failures:
  "The actions actions/checkout@v4 and actions/dependency-review-action@v4
   are not allowed in kubernetes/cloud-provider-aws because all actions
   must be pinned to a full-length commit SHA."

Actions pinned with release verification:

- actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
```
Release: https://github.com/actions/checkout/releases/tag/v4.3.1
Commit: actions/checkout@34e1148
```

- actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
```
Release: https://github.com/actions/dependency-review-action/releases/tag/v4.9.0
Commit: actions/dependency-review-action@2031cfc
```

- golang/govulncheck-action@v1 → @31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4)
```
Commit: golang/govulncheck-action@31f7c54
Note: Using master HEAD instead of v1.0.4 because v1.0.4 contains unpinned
      transitive dependencies (actions/checkout@v4.1.1, actions/setup-go@v5.0.0).
      The master branch includes a fix from Feb 2026 that pins these dependencies.
      See: golang/govulncheck-action@31f7c54
```

- helm/chart-releaser-action@v1.7.0 → @a0d2dc62c5e491af8ef6ba64a2e02bcf3fb33aa1 # v1.7.0
```
Release: https://github.com/helm/chart-releaser-action/releases/tag/v1.7.0
Commit: helm/chart-releaser-action@a0d2dc6
```

- actions/github-script@v7 → @f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
```
Release: https://github.com/actions/github-script/releases/tag/v7.1.0
Commit: actions/github-script@f28e40c
```

Files modified:
- .github/workflows/deps.yml
- .github/workflows/tag.yml
- .github/workflows/helm_chart_release.yaml
- .github/workflows/kpromo-reminder.yaml

Justification:
Pinning actions to commit SHAs instead of mutable tags (v4, v1.7.0, etc.)
prevents potential security vulnerabilities where a tag could be moved to
point to malicious code. This is a required security practice in the
Kubernetes organization to ensure supply chain integrity and is enforced
by GitHub Actions policy for kubernetes/* repositories.

GitHub enforces that not only direct action dependencies must be pinned,
but also transitive dependencies (actions used within composite actions).
This is why govulncheck-action required using the master branch commit
instead of the latest release tag.

Each SHA has been verified against the official release tags to ensure
we're using the intended versions while meeting security requirements.

Reviewed-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: mtulio

.github/workflows/deps.yml

@@ -46,4 +46,4 @@ jobs:
       - id: govulncheck-tests-e2e
         uses: golang/govulncheck-action@31f7c5463448f83528bd771c2d978d940080c9fd # master (post-v1.0.4 with pinned deps)
         with:
-          go-version-file: tests/e2e/go.mod
+          go-version-file: tests/e2e/go.mod