pin github actions #15645
Description
as best practice, github actions should be pinned to a SHA as it makes it significantly harder to replace them with a hostile version.
I found the npm package described in https://github.com/mheap/pin-github-action to work well (it will do one file or folder at a time).
I did it for a couple repos eg dotnet/extensions#6123
I'm not going to do it for arcade because possibly there are actions that expect to float right now, and those will need looking at.