Pin SHA of third-party GitHub Actions (#782)

The full-version Git tags used by Actions are mutable (as seen in recent
events in the wider GitHub Actions community), so pinning third-party
Actions to a SHA is recommended:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

The version tag has been added after the pin as a comment (as a
readability aid) in a format that Dependabot will keep up to date:
dependabot/dependabot-core#4691

I've also enabled Dependabot grouping for GitHub Actions updates
to reduce PR noise.

GUS-W-18051077.

Author: edmorley

.github/dependabot.yml

@@ -20,3 +20,8 @@ updates:
     directory: "/"
     schedule:
       interval: "monthly"
+    groups:
+      github-actions:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/ci.yml

@@ -46,7 +46,7 @@ jobs:
           bundler-cache: true
           ruby-version: "3.2"
       - name: Install PHP and Composer
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: "8.3"
           tools: "composer:2.8"

.github/workflows/platform-sync.yml

@@ -146,7 +146,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install dos2unix
       - name: Install PHP and Composer
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: "8.2"
           tools: "composer:2.8"
@@ -332,7 +332,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Install PHP and Composer
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
           php-version: "8.2"
           tools: "composer:2.8"