ci: pin various actions to SHAs

[nschonni]

Description

Pin SHAs according to https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.
Adding additional permissions config for some of the missing jobs might make sense.

Motivation and Context

Some cleanup related to #2208

Testing Details

Example Output(if appropriate)

Types of changes

• Documentation
• Version change (Update, remove or add more Node.js versions)
• Variant change (Update, remove or add more variants, or versions of variants)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Other (none of the above)

Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING.md document.
• All new and existing tests passed.

[SimenB]

dependabot knows how to update these, right?

[forsen]

dependabot knows how to update these, right?

Yep, implemented in dependabot/dependabot-core#5951

[github-actions]

Created PR on the official-images repo (docker-library/official-images#18646). See https://github.com/docker-library/faq#an-images-source-changed-in-git-now-what if you are wondering when it will be available on the Docker Hub.