security: pin GitHub Actions to SHA commit hashes

Pin all GitHub Actions to their specific SHA commit hashes instead of
using floating version tags to prevent supply chain attacks from
malicious package republishing.

Changes:
- actions/checkout: v4 → v4.3.1 (SHA: 34e1148)
- actions/setup-node: v4 → v4.4.0 (SHA: 49933ea)
- pnpm/action-setup: v2 → v2.4.1 (SHA: eae0cfe)
- actions/cache: v3 → v3.5.0 (SHA: 6f8efc2)
- actions/upload-artifact: v3 → v3.2.1-node20 (SHA: c24449f)
- softprops/action-gh-release: v1 → v2.5.0 (SHA: a06a81a)

All actions include inline version comments for easy maintenance and
audit trail.

Also includes INSTALLATION.md updates.

Follows GitHub security best practices for immutable action references.

Author: eabdelmoneim

.github/workflows/build.yml

@@ -15,15 +15,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1
         with:
           version: 8
 
@@ -34,7 +34,7 @@ jobs:
           echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
 
       - name: Setup pnpm cache
-        uses: actions/cache@v3
+        uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0
         with:
           path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -81,7 +81,7 @@ jobs:
           echo "- \`build/index.tsx.asset.php\`" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@c24449f33cd45d4826c6702db7e49f7cdb9b551d # v3.2.1-node20
         with:
           name: build-artifacts
           path: build/

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Extract version from tag
         id: get_version
@@ -25,12 +25,12 @@ jobs:
           echo "Building version: $VERSION"
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v2
+        uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1
         with:
           version: 8
 
@@ -99,7 +99,7 @@ jobs:
           echo "Changelog extracted"
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           name: Version ${{ steps.get_version.outputs.version }}
           body_path: CHANGELOG.txt

INSTALLATION.md

@@ -40,7 +40,7 @@ Before installing the plugin, ensure you have:
 
 ## Installation Methods
 
-### Method 1: WordPress.org (Recommended)
+### Method 1: WordPress.org (COMING SOON - pending approval in WP marketplace)
 
 **Best for:** Most users, automatic updates