Pin GitHub Actions to Git commit hash

[achrinza]

Currently, we're inconsistently referencing third-party GitHub Actions by Git tags, Git branches and the Git commit hash.

Git tags and Git branches can be re-pointed to a different Git commit hash without our explicit knowledge. Hence, this poses a security risk as a malicious GitHub Action that we depend on can go under the radar without our knowledge.

We should standardise on referencing by Git commit hash.

Renovate currently handles keeping the GitHub Actions up-to-date. It supports updating Git commit hash while following the Git tags:

• https://docs.renovatebot.com/modules/manager/github-actions/ (Git Permalink: https://github.com/renovatebot/renovate/blob/3e5cd5d8875babaf03cb11f60ad9bf84b453025a/lib/modules/manager/github-actions/readme.md)
• feat(github-actions): Change behavior to not add "renovate" to inline yaml comments when pinning renovatebot/renovate#14110
• feat(github-actions): Support for short tag comments renovatebot/renovate#18738

The syntax would be either of the following:

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # renovate: tag=v2.4.0

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0

Loosely-related to #25 (Part of OpenSSF Scorecard check).

GitHub repositories

• loopback/cicd (PR)
• loopbackio/loopback.io (PR)
• loopback-next (PR)
• strong-soap (PR)