Pin github actions to SHA

[yubiuser]

What does this PR aim to accomplish?:

Pins the actions used in our workflow by commit. This is the recommended way to prevent supply chain attacks

https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

The human-friendly comment tag should be auto-updated by dependabot as well

https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/

---

This also updates some outdated actions to their latest version, no idea why dependabot did not pick them up

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code and I have tested my changes.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)
6. I have checked that another pull request for this purpose does not exist.
7. I have considered, and confirmed that this submission will be valuable to others.
8. I accept that this submission may not be used, and the pull request closed at the will of the maintainer.
9. I give this submission freely, and claim no ownership to its content.

---

• I have read the above and my PR is ready for review. Check this box to confirm

[DL6ER]

Don't get me wrong, I am not against this in any way but - what does it give us in reality? I don't think the blog post told us this very important detail. Hypothetical scenario: Say some code is compromised. Okay, they can replace the tag and all workflows around the world will start using it. This is bad. Now, with SHA pinning, they cannot do this. Better. However, they can very well create a new release, dependabot will come and open update PRs throughout the field, but, yeah, we are slow picking them up and - if the compromise is detected (and communicated!) quickly enough - this may suffice to get the warning before we merge the change. If we are "too fast" (difficult to say, though) about this and are already on a malicious SHA, the pinning will keep us there, no way for the maintainers of the pirated repository to just delete the tag (I don't think you can really delete the SHA hashes, can you?). I'd give or take, this change can be positive and negative depending on your particular point of view.

[yubiuser]

I see your point. When a bad actor releases a new compromised version and dependabot picks it up it's a kind of race condition - is the misbehavior noticed before we update the action? This is still a possible attack vector.
But as you said, another vector - re-tagging of a now compromised version - is not possible anymore.

So tagging by SHA will prevent 1 of 2 possible attack ways. Better than nothing I'd say.