Hey, I'm back (see #177 and #178) with another security suggestion!

When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash (or commit SHA) ensures the dependency is immutable and its behavior is guaranteed.

These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment.

I'll send a PR pinning the dependencies and adding dependabot along with this issue.