.github/workflows: Pin all dependencies by hash instead of version number

[Juee14Desai]

OSSF scorecard has 1/10 score for pinned-dependencies. To increase this score all dependencies have to be pinned by hash.

OSSF help suggests using StepSecurity Tool to update the dependency. For more information: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies

To check the list of dependencies flagged in report, go to Pinned-Dependencies section: https://securityscorecards.dev/viewer/?uri=github.com/ofiwg/libfabric

[j-xiong]

Would it affect how dependabot works?