Idea: pin github actions to a known-good version

[durban]

References in ci.yml like, e.g., actions/setup-java@v4 are apparently to mutable tags. We could instead pin them to "known-good" versions, like actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12. As recommended by https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.