fix: pin all GitHub Actions to full commit SHAs (resolves SonarCloud S7637) (#90)

Pin all floating version tags (@v1, @v2, @v3, @v4, @master) to full commit
SHAs across all workflow files to eliminate supply chain security risk.

Actions pinned:
- actions/checkout@v3 -> f43a0e5 (v3.6.0) in release.yml, sync-wiki.yml
- actions/checkout@v4 -> 34e1148 (v4) in tests.yml
- shivammathur/setup-php@v2 -> accd612 (v2) in all workflows
- actions/setup-node@v4 -> 49933ea (v4) in playground-tests*.yml, wordpress-tests.yml
- actions/upload-artifact@v4 -> ea165f8 (v4) in playground-tests*.yml, wordpress-tests.yml
- softprops/action-gh-release@v1 -> de2c0eb (v1) in release.yml
- codacy/codacy-analysis-cli-action@v4 -> 562ee3e (v4) in code-quality.yml
- github/codeql-action/upload-sarif@v3 -> 603b797 (v3) in code-quality.yml
- swissspidy/wp-performance-action@v2.0.3 -> b7e3ffc (v2.0.3) in playground-tests.yml
- SonarSource/sonarqube-scan-action@master -> 9598b8a in sonarcloud.yml

Closes #89

.github/workflows/release.yml

@@ -14,10 +14,10 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: '7.4'
           extensions: mbstring, intl, zip
@@ -62,7 +62,7 @@ jobs:
 
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           files: wp-plugin-starter-template-for-ai-coding-${{ env.VERSION }}.zip
           name: v${{ env.VERSION }} - WordPress Plugin Starter Template