Lock down allowed github actions versions

Similar to [hyperledger/besu](https://github.com/hyperledger/besu/blob/main/.github/workflows/develop.yml#L15) we should lock the actions down to specific SHAs instead of using aliases.  It is safer and can help avoid a ci supply chain attack