ci: use hash-pinned workflow actions, update checkout

The tags are mutable and groups like Google Open Source Security Team
(GOSST) are suggesting use of hash-pinned (alongside the tag as comment)
actions.

The dependabot just introduced, can handle the format automatically.

Ref: https://github.com/libarchive/libarchive/issues/1959
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/76
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 3600600d2fd8eddbe3b9febe2bc33c0ea1c49bf3..16856663d8e51cec74db57fd7685f799fd2ca662 100644 (file)
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -10,7 +10,7 @@ jobs:
   spellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: codespell-project/actions-codespell@v2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
         with:
           ignore_words_file: .codespellignore

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b4ad5cdd748f0437a63ff33fe5fd5c9844443977..056005c28d9386133a6b83983f2c1d6292aee524 100644 (file)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -27,7 +27,7 @@ jobs:
       image: ${{ matrix.container }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - uses: ./.github/actions/setup-ubuntu
         if: ${{ startsWith(matrix.container, 'ubuntu') }}