Unpin actions to fix dependabot bumping

Since September 2025, dependabot does not update some actions
anymore. Putting in a comment the _version tag_ (next to the
sha) make it clear that the intent is not to pin and should
allow further bumping by dependabot.

This was not necessary in the past and seem required now.

Signed-off-by: Jean-Philippe Evrard <open-source@a.spamming.party>

.github/workflows/on-main-push.yaml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 

.github/workflows/on-tag.yaml

@@ -84,7 +84,7 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 

.github/workflows/periodics-weekly.yaml

@@ -65,7 +65,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Link Checker
-      uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0
+      uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0
       env:
         GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       with: