[3.14] gh-146488: hash-pin all action references (gh-146489)

[woodruffw]

This is like #146489, but recreated for 3.14 because of CI drift.

Important: unlike the others, this leaves some unpinned @master references because pinact won't pin those by default. I can also pin them (they're pinned on the living head), but haven't done so yet. Please let me know what you'd prefer!

• Issue: CI: Hash-pin all actions #146488

[hugovk]

If we decided to pin @master in main, let's do for backports as well. If nothing else, it'll make future backports easier. And be a bit more secure?

[sethmlarson]

Agreed with @hugovk, whatever we have in main should be backported to make future changes easier.

[woodruffw]

Done! Unfortunately I think Dependabot and other tools don't do a good job of auto-bumping those kind of master refs, but maybe gha-update can do it?

[hugovk]

Let's also remove unpinned-uses from .github/zizmor.yml in all of these backports.

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[woodruffw]

Let's also remove unpinned-uses from .github/zizmor.yml in all of these backports.

Oops, thanks. It wasn't present in some of the older version branches so I didn't think to remove it elsewhere...

[woodruffw]

I have made the requested changes; please review again.

[bedevere-app]

Thanks for making the requested changes!

@hugovk: please review the changes made to this pull request.