feat: prevent versioned 3P GitHub actions in PR builds (#457)

Add validation step to require commit SHAs instead of version tags for
third-party GitHub actions in workflow files. Repo config `Require
actions to be pinned to a full-length commit SHA` will protect against
this if we missed any others.

### Testing done
* See:
aws-observability/aws-otel-python-instrumentation#475

*Rollback procedure:*

Git revert - no risk

*Ensure you've run the following tests on your changes and include the
link below:*

pr workflow sufficient

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Author: thpierce

.github/workflows/pr-build.yml

@@ -6,6 +6,31 @@ on:
       - main
 
 jobs:
+  static-code-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Check for versioned GitHub actions
+        if: always()
+        run: |
+          # Get changed GitHub workflow/action files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
+          
+          if [ -n "$CHANGED_FILES" ]; then
+            # Check for any versioned actions, excluding comments and this validation script
+            VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
+            if [ -n "$VIOLATIONS" ]; then
+              echo "Found versioned GitHub actions. Use commit SHAs instead:"
+              echo "$VIOLATIONS"
+              exit 1
+            fi
+          fi
+          
+          echo "No versioned actions found in changed files"
+
   build:
     name: Gradle Build
     runs-on: ubuntu-latest
@@ -25,7 +50,7 @@ jobs:
 
   all-pr-checks-pass:
     runs-on: ubuntu-latest
-    needs: [build]
+    needs: [build, static-code-checks]
     if: always()
     steps:
       - name: Checkout to get workflow file