Use Commit Hashes to Version Reusable Github Actions Tasks

[sarina]

In response to https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/ we should move to pinning GitHub Action versions by commit hash.

Some resources:

• Not natively supported: Support "lock file" equivalent for GitHub actions actions/runner#2195
• Dependabot may support this: For actions that are pinned-by-hash, bump the human readable version number in the code comment dependabot/dependabot-core#4691
• We may be able to run pinact as a one-off and then leverage Dependabot after that.