ci: SHA-pin third-party Gradle actions (#107)

Pin gradle/actions/setup-gradle and gradle/gradle-build-action to full
commit SHAs to prevent supply chain attacks via tag hijacking.

- gradle/actions/setup-gradle@v6  → @205054a...  (ci.yml ×2, codeql.yml)
- gradle/gradle-build-action@v3   → @12318b0...  (ci.yml, publish-sonatype.yml)

Co-authored-by: Posture Fix <posture-fix@langchain.ai>

Author: jkennedyvz

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
           cache: gradle
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@205054a7257716ec64af10a2e2ff1ac5d3b132db # v6
 
       - name: Run lints
         run: ./scripts/lint
@@ -64,7 +64,7 @@ jobs:
           cache: gradle
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@205054a7257716ec64af10a2e2ff1ac5d3b132db # v6
 
       - name: Build SDK
         run: ./scripts/build
@@ -106,7 +106,7 @@ jobs:
           cache: gradle
 
       - name: Set up Gradle
-        uses: gradle/gradle-build-action@v3
+        uses: gradle/gradle-build-action@12318b01111bfa6462c00534ffa998f8b397b979 # v3
 
       - name: Run tests
         run: ./scripts/test

.github/workflows/codeql.yml

@@ -32,7 +32,7 @@ jobs:
             8
             21
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@205054a7257716ec64af10a2e2ff1ac5d3b132db # v6
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4

.github/workflows/publish-sonatype.yml

@@ -29,7 +29,7 @@ jobs:
           cache: gradle
 
       - name: Set up Gradle
-        uses: gradle/gradle-build-action@v3
+        uses: gradle/gradle-build-action@12318b01111bfa6462c00534ffa998f8b397b979 # v3
 
       - name: Publish to Sonatype
         run: |-