Previously versions were using tags. By pinning them to SHAs, it ensures the versions cannot be changed.
Also note that I used the latest release, so many of the actions received a version bump as part of this change.
It was suggested that GitHub Actions might have an issue with the periods in the signing Gradle properties. This is an attempt to see if that is the issue.
From Gradle’s perspective `ORG_GRADLE_PROJECT_signing.secretKeyRingFile=` as an environment variable should be equivalent to a command line argument of `-Psigning.secretKeyRingFile=`
This updates our templates to be more consistent with the Secant app repository.
Note that the checklist item for code coverage was removed for now, until we improve the test infrastructure for the SDK.
This also addresses a security reminder, by explicitly stating that one shouldn't run the demo app from a pull request until after reviewing the code changes.