Description
So I have this PR for upgrading the versions of actions running in GHA: #12501
For the Windows jobs we have pinned specific commits instead of versions (ref #11477 (comment)). I understand that this is more secure because the author of the action could technically move the tag to a different commit, right? And there's no lockfile to keep the versions pinned.
My question is, is this really necessary? (evidence suggests that it is a recommended safety practice: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/, https://michaelheap.com/ensure-github-actions-pinned-sha/)
And shouldn't we do this everywhere then?
The problem with commit hashes is that it's not clear what version they represent. So that makes it a bit difficult to manage and understand. Maybe there are tools which make this easier? (for example https://github.com/mheap/pin-github-action automatically adds comments referring tot he version number).
We should probably look into a tool for automating action upgrades (that's regardless of using versions or hashes).