security: Update version pins to use SHAs instead

[Skipants]

💌 Description

Hello! I love the work you did on this action and want to include it in my company's CI. It's saving me a ton of time.

I have made an update on my fork to to harden the security of this action and to help mitigate some upstream supply chain risks.

I bet you've heard of the tj-actions supply chain attack but for posterity there's more info here: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

That attack is the main reason for me making this change here and to some of our other upstream github actions.

Let me know if there's anything that needs changing.

🏗️ Type of change

• 📚 Examples/docs/tutorials
• 🐛 Bug fix (non-breaking change which fixes an issue)
• 🥂 Improvement (non-breaking change which improves an existing feature)
• 🚀 New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 🚨 Security fix
• ⬆️ Dependencies update

✅ Checklist

• I've read the Code of Conduct document.
• I've read the Contributing guide.

[DariuszPorowski]

LGTM, thanks!

[Skipants]

@DariuszPorowski BTW in case you're interested since you manage so many of these -- I made a simple go executable to automatically update Github Action workflow files to use SHAs instead of tags/branches. It pulls the SHAs straight from Github itself: https://github.com/Skipants/update-action-pins

[DariuszPorowski]

@Skipants this is great! will take a look, thanks! :)