Use Commit Hashes to Version Reusable Github Actions Tasks

[sarina]

In response to https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/ we should move to pinning GitHub Action versions by commit hash.

Some resources:

• Not natively supported: Support "lock file" equivalent for GitHub actions actions/runner#2195
• Dependabot may support this: For actions that are pinned-by-hash, bump the human readable version number in the code comment dependabot/dependabot-core#4691
• We may be able to run pinact as a one-off and then leverage Dependabot after that.

[arbrandes]

@farhan, have you been able to look into this at all, yet?

[farhan]

@arbrandes We tried https://github.com/suzuki-shunsuke/pinact, it's working fine
How can we run it in all the repositories, this what we were discussing yesterday
We are on the edge of getting relax from the XBlock extraction work, we have prioritize it as next.