Open
Description
Is your feature request related to a problem or challenge?
A recent supply chain attack has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few:
- dev.yml -> - uses: korandoru/hawkeye@v6
- rust.yml -> - uses: korandoru/hawkeye@v6
- setup-macos-aarch64-builder/action.yaml -> uses: Swatinem/rust-cache@v2
- setup-rust-runtime/action.yaml -> uses: mozilla-actions/sccache-action@v0.0.4
an example of how to use a sha hash instead of a version can be seen in the extended.yml file:
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
Describe the solution you'd like
No response
Describe alternatives you've considered
No response
Additional context
No response