chore: pin third-party GitHub Actions to commit SHAs (#18)

## Summary

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks.

Addresses findings from the
[`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml)
Semgrep rule.

### Updates since initial revision

- Version comments now use fully qualified version numbers (e.g. `#
v4.4.0` instead of `# v4`)
- `ruby/setup-ruby` bumped from v1.295.0 (`319994f...`) to **v1.299.0**
(`3ff19f5e2baf30647122352b96108b1fbe250c64`), the latest v1 release
- `googleapis/release-please-action` confirmed at **v4.4.0**
(`16a9c90856f42705d54a6fda1823352bdc62cf38`), already the latest v4
release

Release links for verification:
- [ruby/setup-ruby
v1.299.0](https://github.com/ruby/setup-ruby/releases/tag/v1.299.0)
- [googleapis/release-please-action
v4.4.0](https://github.com/googleapis/release-please-action/releases/tag/v4.4.0)

## Review & Testing Checklist for Human

- [ ] Verify the pinned SHAs match the expected release tags using the
release links above
- [ ] Confirm CI passes with the updated `ruby/setup-ruby` v1.299.0
(bumped from v1.295.0)

### Notes

- The `slsa-framework/slsa-github-generator` reference on line 61 of
`release-please.yml` remains at `@v2.0.0` (floating tag) — this action
[cannot be pinned to a commit
SHA](launchdarkly/ruby-server-sdk#374 (comment)).

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes only pin GitHub Action references to specific
commits, with no functional logic changes beyond potential action
version drift if the pinned SHAs differ from the floating tags.
> 
> **Overview**
> Pins third-party GitHub Actions to immutable commit SHAs to harden
CI/release workflows against supply-chain tampering.
> 
> Updates `ruby/setup-ruby@v1` usages (composite CI action, Windows CI
job, and docs publish workflow) to a specific commit SHA, and similarly
pins `googleapis/release-please-action@v4` in the release workflow to a
specific `v4.4.0` commit.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
12e5cd3. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Link to Devin session:
https://app.devin.ai/sessions/56bd3c6eff084ef4802aaa48b08ebab6
Requested by: @kinyoklion

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>

Author: 3 people

.github/actions/ci/action.yml

@@ -8,7 +8,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
       with:
         ruby-version: ${{ inputs.ruby-version }}
 

.github/workflows/ci.yml

@@ -43,7 +43,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 3.4
 

.github/workflows/manual-publish-docs.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 3.1
 

.github/workflows/release-please.yml

@@ -17,7 +17,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
       gem-hash: ${{ steps.publish.outputs.gem-hash}}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
 
       - uses: actions/checkout@v4