ci: pin actions version commits and add verified creator notes

[rwaight]

The purpose of this PR is to improve the baseline security for using GitHub Actions with the docs-builder; mainly to improve user awareness as they use this elastic/docs-builder-example repo to deploy documentation using GitHub Actions.

This PR pins the GitHub actions to the commit SHA, with a comment including the version.

• For reference, see https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

This also adds notes to the workflow with a link to the action in the GitHub Marketplace.

This is related to elastic/docs-builder#146 and elastic/docs-builder#147

[Mpdreamz]

I'm in two minds here

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Is fantastic advise for third party actions. I'm questioning if our own elastic and github qualify as such.

Here we verify much want folks to (semantically) get the latest greatest.

e.g elastic/docs-builder@v1 will be used in the future by ~100 repositories. Having to update commit refs on all of these each time we do a release is not maintainable.

This is also common practice for other GitHub actions that are shared within elastic see e.g:

https://github.com/elastic/oblt-actions and individual action documentation:

https://github.com/elastic/oblt-actions/tree/main/oblt-cli/cluster-credentials#usage

[Mpdreamz]

As discussed here elastic/docs-builder#146 (comment) we are good to depend on tags for GitHub and Elastic published actions.

We should start using our https://github.com/elastic/docs-builder/blob/main/actions/publish/action.yml action here as well.