🔒 Security(.github/workflows): Pin 3rd party actions to specific commit hash to avoid supply chain attacks

## Vulnerability

Current usage of 3rd-party actions in `.github/workflows` uses broad versions instead of specific commit hashes, example: https://github.com/wei/socialify/blob/082c96087341a776f682eacc1f931e0ed615c73c/.github/workflows/build.yml#L22

Though unlikely, this exposes the project to supply chain attacks in case latest major version is compromised at the time of workflow run. 

## Solution

Pinning all 3rd party actions to commit hash corresponding to latest stable release, example:

```YAML
- name: Setup pnpm
  uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2
  # Pinned to commit hash of release v4.0.0 on 05/07/24.
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔒 Security(.github/workflows): Pin 3rd party actions to specific commit hash to avoid supply chain attacks #480

Vulnerability

Solution

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

🔒 Security(.github/workflows): Pin 3rd party actions to specific commit hash to avoid supply chain attacks #480

Description

Vulnerability

Solution

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions