fix(ci): correct security/docker action SHAs to valid release commits

The pinned SHAs for gosec / trivy-action / docker-* actions were
invalid (not reachable refs), breaking CI. Repin to the exact commits
behind their release tags (gosec v2.22.4, trivy v0.28.0,
metadata v5.7.0, buildx v3.10.0, qemu v3.6.0).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: Patel230

.github/workflows/docker.yml

@@ -27,10 +27,10 @@ jobs:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86e7dce2983e2aca5ad12 # v3.6.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36773596c3112 # v3.10.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Log in to GHCR
         if: github.event_name != 'pull_request'
@@ -42,7 +42,7 @@ jobs:
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbea1f9daf56d2a234dc26bc6589 # v5.7.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -68,7 +68,7 @@ jobs:
 
       - name: Scan image with Trivy
         if: github.event_name != 'pull_request'
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a1b7dc4a94af1a4f3f8 # v0.28.0
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
           format: sarif