Use sha pinning for third party github actions

To reduce the attack surface for supply-chain attacks, we should use SHA commit pinning for third-party / non official github actions and make dependabot work with them.

Official and widely used actions should still retain the semantic versions  for dependabot vulnerability scanner to work better.
