Use Commit Hashes to Version Reusable Github Actions Tasks #165
Description
In response to https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/ we should move to pinning GitHub Action versions by commit hash.
Some resources:
- Not natively supported: Support "lock file" equivalent for GitHub actions actions/runner#2195
- Dependabot may support this: For actions that are pinned-by-hash, bump the human readable version number in the code comment dependabot/dependabot-core#4691
- We may be able to run pinact as a one-off and then leverage Dependabot after that.