Reference actions by commit SHA

[gabibguti]

Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.

Although there are pros and cons for each reference, GitHub understands SHAs are more reliable, as does Scorecard security tool.

In this repository, we use the GitHub action actions/checkout@v2 and the third-party action actions-rs/cargo@v1. If you agree, I can open a PR to change these references to commit SHAs.

Additional Context

As an additional suggestion, we could upgrade actions/checkout to major 3.

Plus, just calling out that actions-rs/cargo seems to have not been receiving maintenance in a while.

About me, hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[KodrAus]

Done! I've removed all dependent actions except for actions/checkout and pinned it to a particular hash in #350.

Thanks again for all your tireless work on tightening things up across the board 🙇

[gabibguti]

Nice! Thank you @KodrAus! Great work!