avoid unpinned 3rd party action for installing sentry-cli

[bruno-garcia]

ios/.github/workflows/release.yml

Line 16 in 5663891

uses: mathieu-bour/setup-sentry-cli@v1.3.0

Since this is not a verified action, and it's not pinned to a sha, if compromised, the tag in the repo could be changed to contain malicious code.
For that reason we pin (with the commit sha) instead of using : v1 for example.

That said, don't we have a Sentry GHA plugin we can use instead?
Or a first-party cli install step?