Reference actions by commit SHA #825
Description
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.
Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.
Analyzing again cmake.yml and makefile.yml, as done in #803, the workflows use only actions/checkout@v2. This action is referenced by tag. To prevent the attacks mentioned above, would be good to change the tag references to commit SHAs. If you agree, I can open a PR.
Additional Context
As an additional suggestion, we could upgrade actions/checkout to major 3.
About me, hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)