[infra] Hash-pin GitHub Actions, keep them updated with dependabot

[pnacht]

Fixes #6814.

This PR hash-pins all GitHub Actions to increase the workflows' resilience to broken or malicious workflows.

It also sets up dependabot to send a single monthly PR updating all Actions with new versions.

RELEASE NOTES: NONE

[codecov]

Codecov Report

Merging #6815 (2401b8a) into master (7935c4f) will increase coverage by 0.03%.
Report is 1 commits behind head on master.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6815      +/-   ##
==========================================
+ Coverage   83.40%   83.43%   +0.03%     
==========================================
  Files         285      285              
  Lines       30879    30879              
==========================================
+ Hits        25754    25764      +10     
+ Misses       4053     4044       -9     
+ Partials     1072     1071       -1     

see 13 files with indirect coverage changes

[dfawley]

Are there breaking changes between v4 and v8? Do we need to update our config of the stale bot because of this?

[pnacht]

No. There are a few "breaking changes", but none of them are significant, given how it's used here:

• v5: no changes
• v6: when an issue is closed by the bot, it is now closed as "Not planned", not as "Completed"
• v7: changes how the bot handles "exempt" issues/PRs, which aren't used here
• v8: if there's an error, the Action will fail, not pretend to succeed

[dfawley]

SGTM; thanks!

[dfawley]

+@easwars for 2nd review

[easwars]

This PR hash-pins all GitHub Actions to increase the workflows' resilience to broken or malicious workflows.

Why is hash-pinning, some of which are pinned to patch releases, better than manually pinning to major versions. Is it possible to configure the dependabot to only pin to major release versions?

[pnacht]

Why is hash-pinning, some of which are pinned to patch releases, better than manually pinning to major versions.

I suggest pinning to hashes because it ensures Actions behave consistently. When pinning to a major version (@v2), the project will be immediately vulnerable to a broken or malicious version as soon as it is released. Pinning to a patch version (@v2.1.3) helps against a broken release, but not a malicious one (since the tag can be modified to point to a malicious commit). Only by hash-pinning an Action to a particular commit can you be confident the Action's behavior won't change beneath your feet.

Is it possible to configure the dependabot to only pin to major release versions?

By "pin to major release versions", do you mean the status quo (i.e. actions/checkout@v2) or pinning to a major version commit (actions/checkout@1a2b3c... # v2)?

In either case, the answer is yes:

• If the former, dependabot can be set up to just bump these tags whenever a new major version is released.
• If the latter, the "version comment" can be to a major release version instead. The hash will be the same as the ones proposed in the current PR, because the major version tag points to the same commit as the latest patch version tag. Whenever a new minor/patch version is released, you'll still receive a dependabot PR suggesting you update to the latest version. The "version comment" will remain the same (unless there's a new major version), just the hash will be changed to point to the newest patch version.