Chore: pin actions by hashes

[randmonkey]

What this PR does / why we need it:
Pin imported actions by hashes instead of tags.
Which issue this PR fixes

Fixes #

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

• the CHANGELOG.md release notes have been updated to reflect significant changes

[czeslavo]

Versions in the comments after SHAs should be auto-updated by the dependabot when it bumps a version, right? That's how I understand this.

[team-k8s-bot]

The backport to release/v1.4.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release/v1.4.x release/v1.4.x
# Navigate to the new working tree
cd .worktrees/backport-release/v1.4.x
# Create a new branch
git switch --create backport-968-to-release/v1.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 17b6d7678bac3aeb4a1d6240f5c1841449e882e6
# Push it to GitHub
git push --set-upstream origin backport-968-to-release/v1.4.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release/v1.4.x

Then, create a pull request where the base branch is release/v1.4.x and the compare/head branch is backport-968-to-release/v1.4.x.

[randmonkey]

@czeslavo Please create an issue for using dependent bot to update them.

[team-k8s-bot]

The backport to release/1.3.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-release/1.3.x release/1.3.x
# Navigate to the new working tree
cd .worktrees/backport-release/1.3.x
# Create a new branch
git switch --create backport-968-to-release/1.3.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 17b6d7678bac3aeb4a1d6240f5c1841449e882e6
# Push it to GitHub
git push --set-upstream origin backport-968-to-release/1.3.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-release/1.3.x

Then, create a pull request where the base branch is release/1.3.x and the compare/head branch is backport-968-to-release/1.3.x.

[czeslavo]

@czeslavo Please create an issue for using dependent bot to update them.

I think there will be no additional action required. So far, dependabot was configured to update GH action dependencies (here's the latest update it did). I noticed that the comment format you've used matches the one used in dependabot/dependabot-core#5951 so I was just wondering whether you've verified it will work for us as expected. I verified it locally with dependabot CLI and it detects a version bump correctly if I manually downgrade any dependency.