[StepSecurity] ci: Harden GitHub Actions (#11)

## Summary

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@jmertic. Please merge the Pull Request to incorporate the requested
changes. Please tag @jmertic on your message if you have any questions
related to the PR.
## Security Fixes

### Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


## Feedback
For bug reports, feature requests, and general feedback; please email
[email protected]. To create such PRs, please visit
https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <[email protected]>

Signed-off-by: StepSecurity Bot <[email protected]>
Signed-off-by: John Mertic <[email protected]>
Co-authored-by: John Mertic <[email protected]>

.github/workflows/test.yml

@@ -32,7 +32,7 @@ jobs:
       with:
         python-version: '3.x'
     - name: Install poetry
-      uses: abatilo/actions-poetry@v3
+      uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0
     - name: Run tests
       run: |
         poetry install --with test
@@ -45,7 +45,7 @@ jobs:
         name: debug-log 
         path: ./debug.log
     - name: SonarCloud Scan
-      uses: SonarSource/sonarcloud-github-action@master
+      uses: SonarSource/sonarcloud-github-action@f5003fc9688ade81ce47b57a3fa97a8d3f12de4c # master
       continue-on-error: true # added since if it's a PR from a different user account, the credentials won't pass over
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any