chore(deps): pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	pinDigest	-> 5a3ec84
actions/checkout	action	pinDigest	-> 11bd719
actions/download-artifact	action	pinDigest	-> d3f86a1
actions/setup-go	action	pinDigest	-> d35c59a
actions/upload-artifact	action	pinDigest	-> ea165f8
debian	final	pinDigest	-> 2ed89b1
docker/build-push-action	action	pinDigest	-> 2634353
docker/login-action	action	pinDigest	-> 74a5d14
docker/setup-buildx-action	action	pinDigest	-> b5ca514
docker/setup-qemu-action	action	pinDigest	-> 2910929
github/codeql-action	action	pinDigest	-> ff0a06e
golangci/golangci-lint-action	action	pinDigest	-> 55c2c14
otel/opentelemetry-ebpf-profiler-dev	container	pinDigest	-> 688e465

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[christos68k]

We probably shouldn't pin this?

[florianl]

While it's considered best practice to pin dependencies in CI to their hash, I agree that the benefit here might be limited. It adds one additional step for us, if we update the image.
On the other hand, anyone with the correct permissions is able to overwrite this image atm and as we just use latest instead of a version, this might will help us identify such scenarios more easily.