Use SHAs to pin GitHub Actions versions

[ccjernigan]

Rather than using tagged versions for GitHub Actions, our builds could be more reproducible if we leveraged the Git shas instead.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[str4d]

We use Dependabot to ensure our actions workflows are up-to-date. @ccjernigan pointed me to an example of Dependabot understanding revision-pinned dependencies and updating them to tag-matched revisions: https://github.com/zcash/kotlin-bip39/pull/151

It would be nicer if Dependabot added a comment indicating which version the revision corresponds to, but otherwise that looks very nice (and I'm now curious as to why Dependabot isn't just upgrading everyone's workflows to revisions if it is configured to provide updates).

In any case, after #773 merges the only actions we will depend on that are not authored by GitHub itself are:

• actions-rs/toolchain for setting non-MSRV Rust toolchains (which is an annoying amount of work to do correctly inline).
• actions-rs/clippy-check for publishing cargo clippy output as PR annotations.
• codecov/codecov-action for uploading cargo-tarpaulin coverage reports to https://codecov.io.
• peaceiris/actions-gh-pages for uploading the built book to GitHub Pages (this one really should have a GitHub-authored equivalent).