chore(renovate): add pinDigests to ensure SHA pinning for GitHub Actions

The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.

Related: privilegedescalation/.github#63, PRI-757

renovate.json

@@ -4,6 +4,7 @@
   "baseBranches": ["main"],
   "schedule": ["every weekend"],
   "prConcurrentLimit": 10,
+  "pinDigests": true,
   "packageRules": [
     {
       "matchManagers": ["npm"],
@@ -17,3 +18,4 @@
     }
   ]
 }
+