Use a pinned compiler version to run cargo audit
This avoids CI failures like this
arising from situations like this
- cargo-audit install fails with rust 1.80 https://github.com/rustsec/rustsec/issues/1217
- error[E0282]: type annotations needed for Box<_> https://github.com/time-rs/time/issues/693
IMO we should pin many of the other images too but I suspect that may be controversial. I'm hoping that pinning this one to get CI working is uncontroversial (perhaps only on a temporary basis).
The other way to solve this would be to remove --locked which IMO is going in the wrong direction, by exposing us to more rather than fewer uncontrolled inputs from our upstreams.