build: Pin GitHub Actions

The main benefit of pinning GitHub actions is the determinism it brings
in terms of what version of a given action will be executed. This is
a step towards having hermetic builds.

Once pinned to a commit, dependabot will automatically issue PRs to update
to newer versions.

Pinned versions is the only security metric from OpenSSF scorecard that
this repository currently have a zero score.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>

.github/workflows/update.yaml

@@ -18,9 +18,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
         with:
           go-version: 1.19.x
       - name: Update component versions
@@ -75,7 +75,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@b4d51739f96fca8047ad065eccef63442d8e99f7 # v4
         with:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           commit-message: |