security: pin asdf-vm/actions/setup action to commit SHA

- Replace asdf-vm/actions/setup@v4 with full commit SHA (b7bcd026f18772e44fe1026d729e1611cc435d47)
- Applied to docs-stage-1-commit.yaml and stage-1-commit.yaml
- Prevents supply chain attacks via tag/branch manipulation
- Added comment indicating this is v4 for maintainability

Author: RossBugginsNHS

.github/workflows/docs-stage-1-commit.yaml

@@ -145,7 +145,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v5
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"

.github/workflows/stage-1-commit.yaml

@@ -156,7 +156,7 @@ jobs:
       - name: "Checkout code"
         uses: actions/checkout@v5
       - name: "Setup ASDF"
-        uses: asdf-vm/actions/setup@v4
+        uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 # v4
       - name: "Perform Setup"
         uses: ./.github/actions/setup
       - name: "Trivy Scan"