Securely pin node version

[ned]

Description: Allow specifying the sha256 of the node binary in addition to the node version. If the asset fails to match the expected sha256, we should error. If specifying the sha256 is not feasible, we could allow specifying the git commit of the release (https://github.com/actions/node-versions/releases).

Justification: Ensure that any 3rd party code that runs in GitHub actions is locked down to known hashes.

Are you willing to submit a PR? Yes, once the details are ironed out.