chore: pin dependencies (actions, docker, cli)

[naltatis]

🔒 improve supply chain security, guard against dependency takeover
✅ improve OpenSSF scorecard https://scorecard.dev/viewer/?uri=github.com/evcc-io/evcc
🤖 dependabot will provide hash upgrade PRs

See also best practice recommendations:
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
https://github.com/ossf/scorecard/blob/a1d03ef4c261559c5f6081fc91a74e18fd501eb6/docs/checks.md#pinned-dependencies

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[andig]

I'm absolutely not a fan of this. I want to keep the major versions:

Pin actions to a tag only if you trust the creator

This is specifically 3rd party. We trust GH.

[naltatis]

I'm absolutely not a fan of this.

Also agree that this hurts readability. OpenSSFs recommendation is to pin all actions for full score. But they also differentiate severity between githubOwned and thirdParty actions ossf/scorecard#906

I'll move the GitHub owned back to tags but keep the 3rd party ones (highes risk) pinned.

[andig]

Sounds like a good compromise. However, the problem is imho more how we chose and validate those. Pinning means they never get updated and tbo, the current version just means "it was there", not "it is secure and has been reviewed".

[naltatis]

However, the problem is imho more how we chose and validate those.

This is the same as for go or npm deps. We are in charge of this.
Dependabot will issue upgrade PRs and also works with hashes. Pinning makes upgrade a deliberate action.