fix: replace the version by hash value and add permissions

[gcanlin]

Summary

This PR fixes the token permissions and unpinned dependency according OpenSSF scorecard. The versions v1 to v3 of the action upload-artifact is depecated, which had been replaced in my PR. And scorecard reports many vulnerabilities such as GHSA-67hx-6x53-jw92. Does this project still be maintained? If so, please let me know and I would appreciately help fix these vulnerabilities.

I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:

Branch Protection & Code Review: Enabling branch protection rules and code reviews can minimize the risk of introducing vulnerabilities. Refer to your repository settings for configuration options. Static Application Security Testing (SAST): Implementing SAST tools can help detect vulnerabilities early in the development lifecycle. Dependency Update Tool: Utilizing a dependency update tool ensures your project uses the latest secure library versions. Security Policy: Defining a comprehensive security policy (SECURITY.md) with vulnerability reporting guidelines, coding standards, and response procedures is recommended. For more information on specific checks, see the OpenSSF Scorecard documentation: Link to Documentation

Explain the motivation for making this change. What existing problem does the pull request solve?

Test plan (required)

It's just a fix in workflow and some suggestions for security.