improve security: add sha to gihub actions

[robfrank]

What does this PR do?

Improve security of CI/CD pipeline adding sha reference to every github action used in the workflows.
It also adds https://github.com/marketplace/actions/ensure-sha-pinned-actions to check that every action used in workflows has the sha.

Motivation

As suggested in https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions:

• Pin actions to a full length commit SHA

• Audit the source code of the action

• Pin actions to a tag only if you trust the creator

• I have run the build using mvn clean package command

• My unit tests cover both failure and success scenarios

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -0.01%	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (affcb0c)	71964	38928	54.09%
Head commit (db246b5)	71964 (+0)	38923 (-5)	54.09% (-0.01%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1804)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}