[StepSecurity] ci: Harden GitHub Actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @p-bakker. Please merge the Pull Request to incorporate the requested changes. Please tag @p-bakker on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[diogoteles08]

Happy to see this improvement!

One note/suggestion I'd add, is that hash-pinning dependencies is a great security improvement but might increase efforts needed to update and maintain them, as the hashes aren't really human readable. That's why I always suggest hash-pinning along the adoption of a Depencency-Update-Tool, which is also a Scorecard recommendation, this with a High priority. It will make sure to create PRs with version bumps for your dependencies, at the pace that is most convenient to the maintainers. I.e., you can configure it to update only major versions, only minors, or even only Security-Patches.
Let me know if you are interested on this and I'd be happy to follow up with a PR implementing this, with any configuration you prefer.

[p-bakker]

Yeah, figured as much. If you'd be willing to provide the PR, I think we'd welcome that.

As for the desired configuration: I'd say only security patches, as we do not want to get overwhelmed with updates :-)

[p-bakker]

@gbrail @rbri LGTM, so I'd say we merge this

[gbrail]

Makes sense to me -- thanks!