Pin third-party actions to commit SHAs

[kurtismash]

This PR pins third-party GitHub Actions to full commit SHAs for supply-chain security.

This has been done automatically by pinact. When reviewing please confirm that the SHAs are correct, zizmor will alert if not.

As a maintainer, please merge this PR once approved.

[techncl]

Just 2 questions:

1. these are very old versions, should we update them now, or wait for dependabot?
2. Line 26 just has #v2 without any decimals; is that valid?

By the way, in case you were wondering, I added branch protection on this repo

[kurtismash]

Just 2 questions:

1. these are very old versions, should we update them now, or wait for dependabot?
2. Line 26 just has #v2 without any decimals; is that valid?

By the way, in case you were wondering, I added branch protection on this repo

1. As I've done this in bulk, I've not updated the actions as then I'd have to resolve all the breaking changes too. Dependabot isn't set to manage Actions in this repo and the last commit was 4 years ago - is this repo still active/needed?
2. Well spotted, the v2.1.8 tag and v2 tag reference different commits (2b250bc vs 8492260), which is unexpected. I've modified to use v2.1.8.

[kurtismash]

actions/cache V2 is deprecated too.

Error: This request has been automatically failed because it uses a deprecated version of actions/cache: 2b250bc32ad02700b996b496c14ac8c2840a2991. Please update your workflow to use v3/v4 of actions/cache to avoid interruptions. Learn more: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down

[techncl]

is this repo still active/needed?

I'm not sure; this is a Java library so maybe someone, somewhere is using it.