VLN-1357: remediate unpinned-github-actions

[picatz]

🏕️ This pull request was created by camper, an automated security campaign tool.

Finding

Rule	unpinned-github-actions
Severity	MEDIUM
Repository	temporalio/ui-server
Ticket	VLN-1357

Summary

• .github/actions/setup-go/action.yaml: Pinned actions/setup-go@v4 and arduino/setup-protoc@v1 to full commit SHAs with exact semver comments.
• .github/actions/docker-build-push/action.yml: Pinned docker/metadata-action@v4 and docker/build-push-action@v4 to full commit SHAs with exact semver comments.
• .github/actions/setup-docker/action.yaml: Pinned docker/setup-qemu-action@v2, docker/setup-buildx-action@v2, and docker/login-action@v3 to full commit SHAs with exact semver comments.
• .github/actions/setup-node/action.yaml: Pinned pnpm/action-setup@v4, actions/setup-node@v4, and actions/cache@v3 to full commit SHAs with exact semver comments.
• .github/actions/download-and-build-ui/action.yaml: Pinned actions/checkout@v3 to a full commit SHA with an exact semver comment.
• .github/workflows/on-commit-dispatch.yml: Pinned actions/create-github-app-token@v2 and actions/checkout@v4 to full commit SHAs with exact semver comments.
• .github/workflows/on-release-dispatch.yml: Pinned actions/create-github-app-token@v2, actions/checkout@v4, and softprops/action-gh-release@v2 to full commit SHAs with exact semver comments.
• .github/workflows/manual-docker-push.yaml: Pinned actions/checkout@v4 to a full commit SHA with an exact semver comment.
• .github/workflows/on-commit.yaml: Pinned actions/checkout@v4 to a full commit SHA with an exact semver comment.
• .github/workflows/on-release.yaml: Pinned actions/checkout@v4, goreleaser/goreleaser-action@v6, actions/create-github-app-token@v2, and peter-evans/repository-dispatch@v3 to full commit SHAs with exact semver comments.
• .github/workflows/test.yml: Pinned actions/checkout@v4 to a full commit SHA with an exact semver comment.

Instructions

• Approve to merge this fix
• Request changes to trigger a new remediation attempt
• /camper rebase — rebase onto the base branch
• /camper close — close this PR without merging
• /camper retry — close and retry with a new fix

[semgrep-managed-scans]

Semgrep found 1 missing-explicit-permissions finding:

• .github/workflows/test.yml
  • L11-26 - Triage

No explicit GITHUB_TOKEN permissions found at the workflow or job level. Add a permissions: block at the workflow root (applies to all jobs) or per job with least privilege (e.g., contents: read and only specific writes like pull-requests: write if needed).

[picatz]

This PR has had no activity for 8 days and may need attention.

Actions you can take:

• Review and approve if the changes look good
• Close if this fix is no longer needed
• Comment /camper rebase to rebase onto the latest base branch
• Comment /camper retry to regenerate the fix

[picatz]

This PR has had no activity for 7 days and may need attention.

Actions you can take:

• Review and approve if the changes look good
• Close if this fix is no longer needed
• Comment /camper rebase to rebase onto the latest base branch
• Comment /camper retry to regenerate the fix

[picatz]

Closing this PR: superseded: Re-pin with Deputy (was stale Codex / behind); campaign consistency