ci(actions): fix vulnerabilities (#2206)

* ci(nodejs): use npm ci instead of npm install to enforce lockfile versions

* ci(java): pin setup-gradle action version to commit hash

Author: wpessers

.github/workflows/ci-nodejs.yml

@@ -31,7 +31,7 @@ jobs:
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
           restore-keys: |
             ${{ runner.os }}-node-
-      - run: npm install
+      - run: npm ci
         working-directory: nodejs
       - run: npm run lint
         working-directory: nodejs

.github/workflows/release-layer-java.yml

@@ -37,7 +37,7 @@ jobs:
           java-version: 17
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v5
+        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
       - name: Execute Gradle build
         run: |

.github/workflows/release-layer-nodejs.yml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Build
         run: |
-          npm install
+          npm ci
           npm run build
         working-directory: nodejs