Pin GHA dependencies by hash

[williamjallen]

Hash-pinned dependencies are an important requirement enforced by the OpenSSF scorecard tool: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

This commit pins all GitHub Actions workflows to a commit hash.

[lindstro]

Thanks for your contribution. If I understand correctly, adding such hashes would preclude automatic PRs when new versions of actions like checkout and python-setup are rolled out. It probably makes sense to uses hashes for "less trusted" workflow dependencies.

[williamjallen]

@lindstro Dependabot can update hash-pinned dependencies, including the comment. Given that you already have Dependabot configured to run weekly, there shouldn't be any negative effects on your workflow. An extra bonus of pinning everything is that you can add GHA check to verify that everything is pinned, preventing unpinned dependencies from making it into your workflows in the future. That said, if you don't want to pin the actions/* dependencies, I'd be happy to revert those changes and pin only the 3rd-party actions.

[lindstro]

LGTM