Pin GHA action versions using specific versions and hashes

[mhucka]

Google's security practices for GitHub Actions states the following:

When using a third-party action (one not hosted in a Google-managed org), a fixed version of the action MUST be used by specifying a specific commit, rather than a branch like "main", or a tagged release, which can be overwritten by any maintainer of the action. Docker and GitHub runner images should always be run at a fixed version rather than "latest".

We need to do this for our GitHub Actions workflows.

I found a tool, frizbee, that can be used to update a workflow to use commit hashes for actions. There's also a companion GitHub Actions workflow that can be installed in a repository to automate checks and updates.

In addition to using commit hashes, we have to replace runner names like ubuntu-latest with specific versions like ubuntu-24.04. There is a table of available runner images at https://github.com/actions/runner-images