Update workflows to use commit hashes per OpenSSF Scorecard guidelines.

[jauderho]

Dependabot will do the right thing and issue PRs as necessary.

Signed-off-by: Jauder Ho jauderho@users.noreply.github.com

[kzantow]

What is the purpose of this change? According to GitHub guidelines, shouldn't we be using a version tag for actions?

[jauderho]

@kzantow please see https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

---

A "pinned dependency" is a dependency that is explicitly set to a specific hash instead of
allowing a mutable version or range of versions. It
is currently limited to repositories hosted on GitHub, and does not support
other source hosting repositories (i.e., Forges).

The check works by looking for unpinned dependencies in Dockerfiles, shell scripts and GitHub workflows.

Pinned dependencies reduce several security risks:

• They ensure that checking and deployment are all done with the same
  software, reducing deployment risks, simplifying debugging, and enabling
  reproducibility.
• They can help mitigate compromised dependencies from undermining the
  security of the project (in the case where you've evaluated the pinned
  dependency, you are confident it's not compromised, and a later version is
  released that is compromised).
• They are one way to counter dependency confusion (aka substitution) attacks,
  in which an application uses multiple feeds to acquire software packages (a
  "hybrid configuration"), and attackers fool the user into using a malicious
  package via a feed that was not expected for that package.