ci(bluebuild): pin actions to node20-safe tags

forgejo-runner v6.4.0 javascript runtime is node20. Pin every
javascript action used in the spike branch's workflows to the last
release that ships node20.

- actions/checkout v4 -> v4.1.7 (3 files)
- softprops/action-gh-release v2 -> v2.0.4 (build-iso)
- anchore/sbom-action v0 -> v0.17.2
- actions/attest-build-provenance v2 -> v2.2.3
- blue-build/github-action@v1 unchanged (TODO: SHA pin)

This is the spike-branch counterpart of the main-branch fix in
feat/runner-fix-docker-sock-and-node20.

.github/workflows/build-bluebuild.yml

@@ -48,7 +48,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -85,7 +87,10 @@ jobs:
 
       - name: SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0 tag confirmed to ship on node20. The `@v0`
+        # floating tag rolls forward and will eventually pull a node24
+        # release. TODO(infra): SHA pin in a follow-up sweep.
+        uses: anchore/sbom-action@v0.17.2
         with:
           image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
           format: spdx-json
@@ -93,7 +98,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-name: ${{ env.OCI_IMAGE }}
           subject-digest: ${{ steps.bluebuild.outputs.digest }}

.github/workflows/build-iso.yml

@@ -30,7 +30,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7
 
       - name: Free up disk
         run: |
@@ -199,7 +201,8 @@ jobs:
 
       - name: Publish to ci-latest rolling prerelease
         if: success() && github.ref == 'refs/heads/main'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           tag_name: ci-latest
           name: "ci-latest (auto)"
@@ -233,7 +236,8 @@ jobs:
 
       - name: Attach to release on tag
         if: github.event_name == 'release'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
         with:
           files: |
             build/out/*.iso

.github/workflows/lint.yml

@@ -12,7 +12,8 @@ jobs:
     container:
       image: registry.fedoraproject.org/fedora:43
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - run: dnf -y install pykickstart
       - run: ksvalidator kickstart/veilor-os.ks
 
@@ -20,7 +21,8 @@ jobs:
     name: Shell scripts
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - uses: ludeeus/action-shellcheck@master
         with:
           severity: warning
@@ -30,7 +32,8 @@ jobs:
     name: No personal/onyx leaks
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
       - name: Grep for leaks
         run: |
           set -e