ci: actions in workflow should be pinned to commit SHA not tags #716
Description
It is best practice for actions in a workflow to be pinned to a specific commit SHA rather than using the latest tag. This is because using the latest tag opens an attack vector for malicious packages to be pulled in. Some examples include:
- Upstream action publishes a commit with malicious code in it
- Upstream action does not have rules set correctly, and a malicious actor is able to publish a new tag from a private branch
- Upstream action does not have GPG signing required, and a malicious actor is able to publish a new commit that appears like an automated commit (fake dependabot/renovatebot).
With actions pinned to a specific commit, we should have dependabot update the various packages on a weekly cadence and roll the SHA forward after review from the team.