MNT: Use hash for Action workflow versions and update if needed

[pllim]

As recommended by https://scientific-python.org/specs/spec-0008/#pin-github-actions-release-workflows-to-their-full-release-commit-shas , this PR changes your Actions workflow version pins to hashes, and updates to latest release hashes (at the time of writing) if needed.

This is an automated update made by the batchpr tool 🤖 - feel free to close if it doesn't look good! You can report issues to @pllim.

👻

[zacharyburnett]

GitHub actions must be pinned using full commit SHA corresponding to the release version being used. Using versions or small hashes is susceptible to attacks.

Oh interesting, I guess someone upstream could potentially re-tag an action with malicious code

[pllim]

Yes it is a possibility especially with random third-party actions with unknown authors.

[pllim]

Even with known packages, only takes one malicious actor for it to happen, if you remember recent news.