Hash-pinning pre-commit hooks #108
Description
From what I've seen, everyone only pins revisions when using pre-commit hooks.
Even though usually these hooks are run in a separate workflow, malicious code can also be run in a developer's environment without any changes to our source code (someone can push the malicious code to hook using the same revision).
To overcome this, we can pin hooks using commit hash like this: rev: ce40a160603ab0e7d9c627ae33d7ef3906e2d2b2 # frozen: v3.19.1.
The best part is that this can be done automatically: running pre-commit autoupdate --freeze does it for you. This will also update the pre-commit hooks versions, but usually that's a good thing.
I made an example in jupyter/docker-stacks repo: jupyter/docker-stacks#2289