Reference actions by commit SHA

[gabibguti]

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.

Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.

I recently recommended #126 and, like that change, this one also a security good-practice. If you agree, we can update, for example, actions/setup-go@v4 to actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe followed by a comment # v4.1.0 to keep the version readable and I can support you by opening a PR.

Additional Context

Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[lemire]

Please do @gabibguti