[FLINK-34937][ci] Updates GitHub actions to use the properly pinned and most-recent version

[XComp]

What is the purpose of the change

According to Apache Infra's [GitHub Action Policy|(https://infra.apache.org/github-actions-policy.html) we are allowed to use any action that is under apache/, github/ and actions aside from the custom actions within the repository. Any other external action should be pinned and the corresponding code being reviewed to identify any malicious code.

Brief change log

• Identified burnett01/rsync-deployments as the only external action that need to be pinned
• Reviewed code (see commit message)
• Pinned action
• Adds comment to remind contributors that pull_request_target is never meant to be used as a trigger to comply to Apache Infra
• Upgraded checkout action to v4
• Removes write permission from nightly trigger (test run to verify that the write permissions are not needed)

Verifying this change

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): no
• The public API, i.e., is any changed class annotated with @Public(Evolving): no
• The serializers: no
• The runtime per-record code paths (performance sensitive): no
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
• The S3 file system connector: no

Documentation

• Does this pull request introduce a new feature? no
• If yes, how is the feature documented? not applicable

[flinkbot]

CI report:

• 30de0e3a6217d6cafc4065e5b79f2a327420f6d5 Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build