Third party actions should be referenced more securely #10
Description
We use a number of external actions from a handful of authors within our composite actions and workflows.
When actions were first released, the most common way to reference these was with a major version number, that corresponded to a tag, like actions/checkout@v2.
But this is insecure, as what is published at that tag can change any time. So best practice is to mitigate this with one of a few strategies, like forking the repo so you can reference from the fork (and update the fork at your convenience), or referencing a commit hash in the original repo (the commit could disappear but this prevents malicious changes).
For our use case, the latter option probably makes the most sense.
Doing this means we also need a way to keep up with upstream changes, review them, and update the hashes from time to time.
We should also decide whether we do this for every action, or if we will trust some publishers, like GitHub (anything under the actions/ organization).
As far as keeping the hashes up to date, I was looking at dependabot, which has support for this, but it seems like it only supports action references within workflow files, not references within composite actions (which is where we need it most).