update automation dependencies to use hashes

[jgadsden]

Summary:

update various dependencies in workflow actions and documentation
There is a recent high profile supply chain attack against the aquasecurity/trivy-action which was successful.
therefore github actions need to be pinned to digests rather than versions,
see #1519 and #1518

Description for the changelog:

update automation dependencies to use digests

Declaration:

Thanks for submitting a pull request, please make sure:

• content meets the license for this project
• N/A appropriate unit tests have been created and/or modified
• you have considered any changes required for the functional tests
• you have read the contribution guide and agree to the Code of Conduct
• either no AI-generated content has been used in this pull request
• or any use of AI in this pull request has been disclosed below:
  • AI Tools: [e.g. GitHub CoPilot, ChatGPT, JetBrains Junie, etc]
  • LLMs and versions: [e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro, etc]
  • Prompts: [Summarize the key prompts or instructions given to the AI tools]

Other info:
Closes #1520

[jgadsden]

ready for review

[lreading]

Excellent addition, and thanks for doing this! One suggestion to help with maintainability - Dependabot will update comments referencing the version number so long as it's inline with the hash.

For example:

uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/

dependabot/dependabot-core#5951

This was already a monumental effort, and I'm happy to implement that change! We could also defer it to a separate PR if you'd like to get this merged ASAP. Up to you!

[jgadsden]

This was already a monumental effort, and I'm happy to implement that change! We could also defer it to a separate PR if you'd like to get this merged ASAP. Up to you!

That is a nice feature that I was not aware of, I will apply this today