ci: pin github action with full-length commit hash

[ostk0069]

Pull Request

Description

In order to enable Require actions to be pinned to a full-length commit SHA setting, this diff is necessary.

• Pin GitHub Actions to full-length commit SHAs instead of
  version tags for improved security
• Update actions/checkout from v2/v4 to v6 (pinned with commit
  hash)
• Update ruby/setup-ruby to be pinned with commit hash

Current Behavior

nothing changes

New Behavior

nothing changes

[ostk0069]

@matiasalbarello @JoelLefkowitz Could you please review this?

[JoelLefkowitz]

Hey @ostk0069 thanks for this PR, could you please explain why this is necessary since the versions numbers and hashes are aliases?

[JoelLefkowitz]

Is it in case a compromised version of actions/caches gets published and tagged?

The tradeoff is that you don't get improvement patches when you lock to a specific hash and it's less readable too.

It's quite common in large packages to use the version numbers not hashes and I'd like to follow that convention.

If you'd like to proceed with the PR I think it's a good idea to update the actions to the latest versions like actions/caches to v6. Would you like to do that?

[ostk0069]

@JoelLefkowitz

Thank you for your review.

It's quite common in large packages to use the version numbers not hashes and I'd like to follow that convention.

There is a Require actions to be pinned to a full-length commit SHA setting in GitHub. and it needs the third party actions to be pinned as well. If this problem leaves as it is right now, Many developers would in trouble with un pinned actions in the future.

If you'd like to proceed with the PR I think it's a good idea to update the actions to the latest versions like actions/caches to v6. Would you like to do that?

In my commit these are already done. or is it shoulc be pinned like v6.x.x ?

[JoelLefkowitz]

Thanks @ostk0069,

There is a Require actions to be pinned to a full-length commit SHA setting in GitHub. and it needs the third party actions to be pinned as well. If this problem leaves as it is right now, Many developers would in trouble with un pinned actions in the future.

I don't think that's how that works. From the docs it looks like it means a consumer repository would need to use the sha when using lewagon/wait-on-check-action:

steps:
  - name: Wait for tests to succeed
    uses: lewagon/wait-on-check-action@3603e826ee561ea102b58accb5ea55a1a7482343

But it doesn't look like there are any constraints on the content inside lewagon/wait-on-check-action/.github/workflows as the rule only applies to the consumer. If I'm wrong about this I'd be happy to take a look at an example to understand it better.

In terms of the tradeoff of using explicit shas in this workflow the same docs article says:

Although pinning to a commit SHA is the most secure option, specifying a tag is more convenient and is widely used. If you’d like to specify a tag, then be sure that you trust the action's creators. The ‘Verified creator’ badge on GitHub Marketplace is a useful signal, as it indicates that the action was written by a team whose identity has been verified by GitHub.

These actions have the'"Verified creator" badges. I also checked some of the workflows in actions/checkout and react for reference and neither of them use the full shas, I'm guessing for readability and improvement patches.

In my commit these are already done. or is it shoulc be pinned like v6.x.x ?

Pinned as actions/checkout@v6 that way it catches all the included minor and patch changes.

[ostk0069]

@JoelLefkowitz Thanks for review. I updated.

[JoelLefkowitz]

Thanks @ostk0069 but it's still got the hashes could you remove them as discussed?