semgrep workflow: pin Docker image and actions to version tags

Pin returntocorp/semgrep container image to a specific version
and GitHub Actions to major version tags to prevent :latest
tag resolution and reduce supply-chain attack surface.

Fixes: LCNC-15821

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bstack-security-github

.github/workflows/Semgrep.yml

@@ -27,8 +27,7 @@ jobs:
 
     container:
       # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
-
+      image: returntocorp/semgrep:1.166.0
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')