Use immutable references for external GitHub Actions

[matrss]

trafficstars

Referencing third-party actions by version tag can be dangerous if that actions repository is compromised, since git tags are mutable and an attacker can therefore change what gets executed. See e.g. this for a recent example of this kind of attack: https://alexwlchan.net/2025/github-actions-audit/.

We should replace all mutable references with immutable commit shas. We can still use dependabot for updates as it recognizes this approach using a syntax like this:

       uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4