ci: pin actions versions with hashes

[mdevolde]

ci: pin actions versions with hashes

I have pinned the versions of the actions used in the workflows with hashes.

Pinning GitHub Actions to a commit hash is an effective safeguard against supply chain attacks. By referencing a specific and immutable version of an action, you prevent compromised versions from being automatically integrated into your pipelines.

Concerning actions for which I pinned the version to a more recent one than previously, I checked the breaking changes, and I just had to add method: chat.postMessage for slackapi/slack-github-action.

Here is the link to the tags for the actions I've pinned, if you want to check the hashes:

• https://github.com/actions/checkout/releases/tag/v6.0.3
• https://github.com/astral-sh/setup-uv/releases/tag/v8.2.0
• https://github.com/supercharge/redis-github-action/releases/tag/1.8.1
• https://github.com/actions/upload-artifact/releases/tag/v7.0.1
• https://github.com/docker/metadata-action/releases/tag/v6.1.0
• https://github.com/docker/login-action/releases/tag/v4.2.0
• https://github.com/docker/setup-qemu-action/releases/tag/v4.1.0
• https://github.com/docker/setup-buildx-action/releases/tag/v4.1.0
• https://github.com/getsentry/action-release/releases/tag/v3.7.0
• https://github.com/docker/build-push-action/releases/tag/v7.2.0
• https://github.com/mikepenz/release-changelog-builder-action/releases/tag/v6.2.2
• https://github.com/slackapi/slack-github-action/releases/tag/v3.0.3
• https://github.com/actions/create-release/releases/tag/v1.1.4
• https://github.com/appleboy/telegram-action/releases/tag/v1.0.1

Pinning versions requires a bit of maintenance, since you have to perform manual upgrades regularly, but in your case, with workflows that handle secrets (such as secrets.GITHUB_TOKEN), it’s a best practice to avoid troubles.