Pin remaining actions to commit SHAs

Completes the SHA pinning started in PR #443. The core build
workflows (ci.yml, bakery-build-*.yml) were already pinned; this
covers the auxiliary workflows that were missed: docs.yml,
hadolint.yml, and the slack-build-notify composite action.

Mutable git tags are the exact vector exploited in the tj-actions
supply chain attack (Unit 42, March 2025) — attackers overwrote
tags to point to malicious commits.

Author: bschwedler

.github/actions/slack-build-notify/action.yml

@@ -17,7 +17,7 @@ runs:
   steps:
     - name: Notify Slack on state transition
       if: inputs.slack-webhook-url != '' && github.repository_owner == 'posit-dev'
-      uses: actions/github-script@v9
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3  # v9.0.0
       env:
         SLACK_WEBHOOK_URL: ${{ inputs.slack-webhook-url }}
         CURRENT_RESULT: ${{ inputs.result }}

.github/workflows/docs.yml

@@ -14,13 +14,13 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Quarto
-        uses: quarto-dev/quarto-actions/setup@v2
+        uses: quarto-dev/quarto-actions/setup@8a96df13519ee81fd526f2dfca5962811136661b  # v2.2.0
 
       - name: Render and Publish
-        uses: quarto-dev/quarto-actions/publish@v2
+        uses: quarto-dev/quarto-actions/publish@8a96df13519ee81fd526f2dfca5962811136661b  # v2.2.0
         with:
           target: gh-pages
           path: posit-bakery/docs

.github/workflows/hadolint.yml

@@ -37,7 +37,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup bakery
         uses: "posit-dev/images-shared/setup-bakery@main"