Pin GH actions

Dependabot is also capable of pinning to future tag releases
and will maintain the comment that descibes the shasum.

dependabot/dependabot-core#4691
Signed-off-by: Marco Franssen <[email protected]>

.github/workflows/depsreview.yaml

@@ -1,15 +1,12 @@
 name: 'Dependency Review'
 on: [pull_request]
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
-
     permissions:
       contents: read
-
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # ratchet:actions/dependency-review-action@v3

.github/workflows/nightly_build.yaml

@@ -4,33 +4,29 @@ on:
     # Random minute number to avoid GH scheduler stampede
     - cron: '37 21 * * *'
   workflow_dispatch: {}
-
 env:
   NIGHTLY: true
-
 jobs:
   build-and-publish-images:
     runs-on: ubuntu-20.04
-
     permissions:
       contents: read
       packages: write
-
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3
       - name: Build images
         run: make images scratch-images
       - name: Log in to GCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
         with:
           registry: gcr.io
           username: _json_key
           password: ${{ secrets.GCR_JSON_KEY }}
       - name: Push images
         run: ./.github/workflows/scripts/push-images.sh nightly
       - name: Log in to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}