chore: enforce no git tags or branches in external github actions (#2159)

# What does this PR do?

Don't allow git tags and branches for external actions.

Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>

.pre-commit-config.yaml

@@ -106,6 +106,14 @@ repos:
         pass_filenames: false
         require_serial: true
         files: ^llama_stack/apis/|^docs/openapi_generator/
+      - id: check-workflows-use-hashes
+        name: Check GitHub Actions use SHA-pinned actions
+        entry: ./scripts/check-workflows-use-hashes.sh
+        language: system
+        pass_filenames: false
+        require_serial: true
+        always_run: true
+        files: ^\.github/workflows/.*\.ya?ml$
 
 ci:
     autofix_commit_msg: 🎨 [pre-commit.ci] Auto format from pre-commit.com hooks