Update GitHub Actions to use pinned hash references

[wroersma]

Description

This PR updates all GitHub Actions in the workflow files to use specific commit hashes rather than version tags. This follows GitHub's security best practice of using hash-pinned references to prevent potential supply chain attacks.

Security Rationale

The recent tj-actions/changed-files compromise (CVE-2025-30066) demonstrated how attackers can modify version tags to execute malicious code in workflows. Even with the current version tag in your workflows, your repository remains vulnerable to this type of attack.

By pinning to immutable SHA hashes, we ensure that the exact code run by your workflows is never silently changed, protecting against:

• Compromised maintainer accounts
• Malicious tag modifications
• Supply chain attacks

Changes

• Updated actions/checkout from v3/v4 to specific commit hashes
• Updated tj-actions/changed-files to a pinned hash reference (especially important given the recent compromise)
• Updated all other GitHub Actions to their latest hash references
• Added version comments for easier reference

Impact

This change has no functional impact on your workflows but significantly improves security posture. The specific versions selected match or exceed the functionality of the previously used tag-based versions.

I've created a tool that automates this process: GitHub Workflow Checker which can be used to keep these references updated while maintaining the security benefits.