GitHub Actions security hardening

Use commit SHAs for third-party actions to ensure that the same versions
are always being downloaded.

.github/workflows/main.yml

@@ -12,10 +12,10 @@ jobs:
   build-and-push-images:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
       - name: Login to the Docker registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 # v1.10.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}