Hey, I'm Pedro and I work with Google and the OpenSSF to help projects improve the supply-chain security of open source projects. My colleague Joyce (see #7541 and #7546) has already made a few contributions to this project and I'm here to help, too!

When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These hashes will be automatically updated by dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this repo as an example).

I'll send a PR pinning the Actions along with this issue.