fix(ci): pin GitHub Actions to commit SHAs

Pin unpinned action references to satisfy repository security policy:
- ko-build/[email protected] → SHA d006021bd0c28d1ce33a07e7943d48b079944c8d
- actions/upload-artifact@v4 → SHA ea165f8d65b6e75b540449e92b4886f43607fa02
- chainguard-dev/actions/kind-diag@main → SHA 6f4f4de7549514e7b659741b30f6476f245600dd

This fixes CI startup failures caused by the repository's policy
requiring all actions to be pinned to complete commit SHAs.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: vdemeester

.github/workflows/ci.yaml

@@ -101,7 +101,7 @@ jobs:
     - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
       with:
         go-version-file: "go.mod"
-    - uses: ko-build/[email protected]
+    - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
     - name: ko-resolve
       run: |
           cat <<EOF > .ko.yaml

.github/workflows/e2e-matrix.yml

@@ -48,7 +48,7 @@ jobs:
     - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b  # v5.4.0
       with:
         go-version-file: "go.mod"
-    - uses: ko-build/[email protected]
+    - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
     - name: Install Dependencies
       working-directory: ./
@@ -74,12 +74,12 @@ jobs:
           --e2e-env ./test/e2e-tests-kind-${{ matrix.env-file }}.env
 
     - name: Upload test results
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}
         path: ${{ env.ARTIFACTS }}
 
-    - uses: chainguard-dev/actions/kind-diag@main
+    - uses: chainguard-dev/actions/kind-diag@6f4f4de7549514e7b659741b30f6476f245600dd # v1.5.3
       if: ${{ failure() }}
       with:
         artifact-name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}-logs