3rd party Github Actions should be pinned

Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=16564216&groupId=39961&sidebarIssueTask=1526673&sidebarTab=tasks


### Scope
This task includes issues in the following code repository:
- councilR:
	[.github/workflows/R-CMD-check.yaml at line 31](https://github.com/Metropolitan-Council/councilR/blob/main/.github/workflows/R-CMD-check.yaml#L31)
	[.github/workflows/R-CMD-check.yaml at line 33](https://github.com/Metropolitan-Council/councilR/blob/main/.github/workflows/R-CMD-check.yaml#L33)
	and 2 more


### TLDR
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.


### How to fix
When using 3rd party Actions in your GitHub Workflow, it is a best practice to pin the version by including the commit hash. You can retrieve the commit hash from the releases tab of the affected GitHub's Action repository. For example:

 The commit hash for https://github.com/actions/setup-node/releases/v4.1.0 is 39370e3970a6d050c480ffad4ff0ed4d3fdee5af. When pinning, the Action's definition would be: - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

3rd party Github Actions should be pinned #94

Scope

TLDR

How to fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

3rd party Github Actions should be pinned #94

Description

Scope

TLDR

How to fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions