ci: pin actions by sha

[thaJeztah]

No description provided.

[kolyshkin]

To me this (using sha or defining a complete specific version) feels like a totally unnecessary complication which will create extra noise.

Unless, of course, a specific action used tends to break often, or GHA is used for something very important and security-sensitive, like building an official release binary.

[thaJeztah]

Yeah, not a huge fan, but there's an ongoing number of incidents impacting supply chain security; trivvy was the first one (all tags been force pushed), but from that it moved to multiple other actions and dependencies; linking to a blog post, but there's various other posts you can find; https://www.docker.com/blog/trivy-supply-chain-compromise-what-docker-hub-users-should-know/

[kolyshkin]

Yeah, not a huge fan, but there's an ongoing number of incidents impacting supply chain security; trivvy was the first one (all tags been force pushed), but from that it moved to multiple other actions and dependencies; linking to a blog post, but there's various other posts you can find; https://www.docker.com/blog/trivy-supply-chain-compromise-what-docker-hub-users-should-know/

I understand that but AFAIK CI in this repo is not really part of supply chain.