Pin composite GitHub Action versions #61
Description
This is a supply-chain security suggestion.
It would be great if the GitHub Actions that this action uses used version pinning according to the commit hash, rather than the version tag.
Why? Some justifications here: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
GitHub allows repository admins to ensure that all actions use commit hash pinning as well:
Dependabot can also be used to perform these periodic/security updates as needed. I'll open a PR to propose this.