Use hashes to pin Actions instead of version tags

[jhkennedy]

Jira: https://asfdaac.atlassian.net/browse/TOOL-3476

Note: The above link is accessible only to members of ASF.

---

Since CodeQL was enabled for our repos, we've been getting warnings like:

Unpinned tag for a non-immutable Action in workflow

Medium

Unpinned 3rd party Action 'Check links' step uses '[SOME_ACTION]' with ref 'vX.Y.Z', not a pinned commit hash

E.g., https://github.com/ASFHyP3/hyp3-docs/security/code-scanning/32

Dependabot does appear to support updating hash pins, so we could switch to them. This would look like:

- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0

Note: dependabot will update the hash and trailing version comment: dependabot/dependabot-core#4691 (comment)