GitHub workflow actions hardening

Pin GitHub workflow actions to use specific commit hash for improved security hardening of the build pipeline, as recommended by GitHub docs:

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Apparently only 2% of GitHub repositories actually implement this "best practice" but I think it's a good idea.