chore: pin third-party GitHub Actions to commit SHAs (#57)

## Summary

Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks.

Addresses findings from the
[`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml)
Semgrep rule.

## Test plan

- [ ] Verify CI passes with pinned action SHAs

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: only changes the workflow to pin
`googleapis/release-please-action` to a specific commit for supply-chain
hardening; behavior should remain the same aside from using v4.4.0
exactly.
> 
> **Overview**
> Pins the third-party GitHub Action used by the `release-please`
workflow (`googleapis/release-please-action`) from a floating `@v4` tag
to a full commit SHA (*v4.4.0*) to improve supply-chain security and
reproducibility.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f92ac31. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>

Author: pkaeding

.github/workflows/release-please.yml

@@ -11,7 +11,7 @@ jobs:
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
         with:
           token: ${{secrets.GITHUB_TOKEN}}