Use git command to fetch pinned SHAs, pin goimports

[timvaillancourt]

Description

This PR resolves many more code scanning complaints (example) by moving more workflow dependencies to pinned Git SHAs

On my 1st attempt at pinning workflow dependencies, I used a GitHub-specific golang library to fetch the Git SHA, but it turns out some dependencies (goimports for example) are not hosted on GitHub. So this PR also moves to using a the git command for fetching SHAs instead (called via os/exec)

Related Issue(s)

Example code scanning alert: https://github.com/vitessio/vitess/security/code-scanning/1794

Checklist

• "Backport to:" labels have been added if this change should be back-ported to release branches
• If this change is to be back-ported to previous releases, a justification is included in the PR description
• Tests were added or are not required
• Did the new or modified tests pass consistently locally and on CI?
• Documentation was added or is not required

Deployment Notes

AI Disclosure

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.82%. Comparing base (1f49de4) to head (05a1df0).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #18980      +/-   ##
==========================================
+ Coverage   69.77%   69.82%   +0.05%     
==========================================
  Files        1608     1610       +2     
  Lines      214908   215360     +452     
==========================================
+ Hits       149953   150385     +432     
- Misses      64955    64975      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[timvaillancourt]

@mattlord thanks for the suggestion on using the git command. That has made this PR much simpler and we can drop the github API client 🧹 🚀

I believe this is now ready for re-review when you have time!

[mattlord]

❤️

[mattlord]

@timvaillancourt don't forget to change the title and description🙂