Update workflows to use commit hashes per OpenSSF Scorecard guidelines.

[jauderho]

Dependabot will do the right thing and issue PRs as necessary.

Signed-off-by: Jauder Ho [email protected]

[kzantow]

What is the purpose of this change? According to GitHub guidelines, shouldn't we be using a version tag for actions?

[jauderho]

@kzantow please see https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

---

A "pinned dependency" is a dependency that is explicitly set to a specific hash instead of allowing a mutable version or range of versions. It is currently limited to repositories hosted on GitHub, and does not support other source hosting repositories (i.e., Forges).

The check works by looking for unpinned dependencies in Dockerfiles, shell scripts and GitHub workflows.

Pinned dependencies reduce several security risks:

• They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility.
• They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised).
• They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.