ci: pin GitHub action to commit hash

[kevinjqliu]

Part of #15742

ASF Infra has allowlisted all actions in these namespaces:

• apache/*
• github/*
• actions/*

18 workflow files updated to pin 9 GitHub Actions to commit hashes (1 git commit per change):

Action	Hash	Tag
actions/cache	668228422ae6a00e4ad889ee87cd7109ec5666a7	v5
actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	v6
actions/labeler	634933edcd8ababfe52f92936142cc22ac488b1b	v6
actions/setup-java	be666c2fcd27ec809703dec50e508c2fdc7f6654	v5
actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	v6
actions/stale	b5d41d4e1d5dceea10e7104786b73624c18a190f	v10.2.0
actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	v7
github/codeql-action/init	38697555549f1db7851b81482ff19f1fa5c4fedc	v4
github/codeql-action/analyze	38697555549f1db7851b81482ff19f1fa5c4fedc	v4

Testing

Validate no other occurrence in the repo with zizmor command:

uvx --from zizmor zizmor \
  --offline \
  --format json-v1 \
  .github/workflows 2>/dev/null \
| jq -r '
    [
      .[]
      | select(.ident == "unpinned-uses")
      | .locations[]
      | select(.symbolic.kind == "Primary")
      | {
          path: .symbolic.key.Local.given_path,
          row: (.concrete.location.start_point.row + 1),
          col: (.concrete.location.start_point.column + 1),
          feature: .concrete.feature
        }
    ]
    | sort_by(.feature)
    | .[]
    | "\(.path):\(.row):\(.col)\t\(.feature)"
  '