Hash pin actions and enable dependabot

[joycebrum]

I'd like to bring another security practice that might be relevant for packaging which is to pin github actions by hash. This is currently the only way to use an action as an immutable release, which avoids breaking changes, instant impact from malicious release and prevent from tag renaming attacks.

There are some pros and cons about hash pinning but for now, hash pinning actions and enabling dependabot to get security updates and fixes is considered the safer way to deal with workflow actions.

Of course that, due to #680, almost all workflows (except for codeql) are already safe because they are read only and does not access secrets. Although, it is common to hash pin all the workflows instead of just the ones with write permissions to keep consistency.

I'll be submmiting a PR as reference to show the changes related to this issue but let me know whether you rather not hash pin or hash pin only the privileged workflows.

Besides, regardless of which method will be used to pin actions, enabling dependabot is important to get version updates (even if it is major version updates only) to get vulnerability and bug fixes. Thus, I'll be submiting a different PR for dependabot.

Thanks!

Additional References

A tag renaming attack is a type of attack whereby an attacker:

1. Hijack an action.
2. Upload a malicious version.
3. Replace existing tags with malicious versions.

See Why you should pin actions by commit hash

[brettcannon]

I'm fine w/ hash pinning as long as we bring on dependabot (which I'm also fine with).

@pradyunsg how about you?

[pradyunsg]

I'm fine with this -- I'll look at the PRs once I'm done with vacation next week. :)

[brettcannon]

PRs are all merged.

Thanks, @joycebrum !

[pradyunsg]

Well, I did end up looking at them today none the less. :)