Pin 3rd-party actions to SHA1

[fbricon]

Hi!

Following the GH Action Security Hardening guide we should use the commit SHA instead of the branch or tag for any third-party untrusted action.

This PR was submitted by a script.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.46%. Comparing base (9f8f207) to head (4e7fd6c).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #738   +/-   ##
=======================================
  Coverage   67.46%   67.46%           
=======================================
  Files         118      118           
  Lines        6866     6866           
  Branches     1208     1208           
=======================================
  Hits         4632     4632           
  Misses       2234     2234           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rgrunber]

Change looks good to me. Feel free to merge.