ci: reference actions using tags

[Fdawgs]

Using main is asking for trouble, if a broken commit is made to an action's branch then we will immediately feel it.
It is considered the least secure method of referencing GitHub Actions.

If we want to be as secure as possible then we should be referencing them using the full length commit SHAs.

Sources:

• GitHub Docs - Security hardening for GitHub Actions
• GitHub Security Lab - Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks
• OSSF - Security Scorecards (Recommended by GitHub)

Checklist

• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

[luisorbaiceta]

The links-check actions would need to be updated too @Fdawgs

[jsumners]

In my opinion, all of those references are discussing third party actions. The GitHub provided actions under the actions/* suite should be considered trustworthy. In fact, you are already doing so by referencing the version as a tag instead of an explicit git SHA. There is absolutely no difference in actions/checkout@v3 and actions/checkout@main in terms of security. So let's put that argument where it belongs.

Regarding "if a broken commit is made to an action's branch then we will immediately feel it." Put bluntly: I don't care. What I do care about is getting far fewer dependabot (or whatever other auto check bot) notifications that a new release is available. I don't care if they get automerged or not, the notifications still fill up my inbox with useless information. Referencing actions/whatever@main solves this problem.

I think it is highly unlikely we are going to be hit by any severe issue in the core GitHub actions. I am very willing to accept an occasional disruption in favor of reduced stress.

[Eomm]

targetting the major tags lets us to get fewer dependabot notification and check manually for major releases

[mcollina]

lgtm

[mcollina]

@jsumners I don't think these actions will bump majors very often. The disruption will be minimal for one repo. I still think keeping it to a tag like this is ok.

[Fdawgs]

The links-check actions would need to be updated too @Fdawgs

Thanks @luisorbaiceta, got that one in 57b77ad

What I do care about is getting far fewer dependabot (or whatever other auto check bot) notifications that a new release is available. I don't care if they get automerged or not, the notifications still fill up my inbox with useless information.

I think it's a good idea to reduce Dependabot notifications @jsumners, but I think we're looking in the wrong place.
GitHub Actions are only checked once a month, as per the Dependabot config, and since we're using major tags we rarely get any Dependabot PRs for them (as mentioned by @Eomm and @mcollina). As an example, actions/checkout has multi-year gaps between each of its majors.
If we really want to cut down on Dependabot notifications we should decrease the NPM dependency checks from weekly to monthly.

[simoneb]

I expressed my opinion on this already and I disagreed with @jsumners introducing this change arbitrarily. Ultimately my main concern around using branch references is that what lands in the main branch is not deemed stable, so using it is unadvisable.

Using major tag references instead is in my opinion the best compromise between staying up to date with fixes and improvements to the action, limiting the noise produced by dependabot and relying on something that's stable.

[mcollina]

I think most of us are in favor of landing this. Is there anything more you'd like to add @jsumners ?

[jsumners]

I disagreed with @jsumners introducing this change arbitrarily.

Making requests in code review is not arbitrary. That's the point of them.

I think most of us are in favor of landing this. Is there anything more you'd like to add @jsumners ?

I have not blocked this.

[mcollina]

Awesome! Landed

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.