CI: pin actions by SHA

This eliminates the possibility of a tag being changed under
us.

Author: tacaswell

.github/workflows/build.yml

@@ -119,7 +119,7 @@ jobs:
           echo "SDIST_DIR=$extractedDir" | Out-File -FilePath $env:GITHUB_ENV -Append
 
       - name: Build basemap wheels from sdist
-        uses: pypa/[email protected]
+        uses: pypa/cibuildwheel@ee63bf16da6cddfb925f542f2c7b59ad50e93969 # v2.22.0
         env:
           CIBW_ARCHS: "native"
           CIBW_BUILD: "cp39* cp310* cp311* cp312* cp313*"
@@ -270,7 +270,7 @@ jobs:
           merge-multiple: true
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           password: ${{ secrets.PYPI_TOKEN }}
           repository-url: ${{ secrets.PYPI_REPOSITORY_URL }}