Pin GH actions (spiffe#3727)

Dependabot is also capable of pinning to future tag releases
and will maintain the comment that descibes the shasum.

dependabot/dependabot-core#4691

Signed-off-by: Marco Franssen <[email protected]>
Co-authored-by: Evan Gilman <[email protected]>

.github/workflows/depsreview.yaml

@@ -10,6 +10,6 @@ jobs:
 
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/[email protected]
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # ratchet:actions/[email protected]

.github/workflows/nightly_build.yaml

@@ -22,17 +22,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/[email protected]
       - name: Install cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1
         with:
           cosign-release: v1.13.1
       - name: Install regctl
-        uses: regclient/actions/regctl-installer@main
+        uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # ratchet:regclient/actions/regctl-installer@main
       - name: Build images
         run: make images load-images
       - name: Log in to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/[email protected]
         with:
           registry: ghcr.io
           username: ${{ github.actor }}