Pin actions to latest commit

[Alex-Welsh]

Updates all actions that were previously pinned to a tag, to be pinned to the latest commit hash

This is to mitigate the risk of supply chain attacks that target upstream GitHub actions, and avoid node 20 deprecation warnings at the same time.

After doing this all by hand for SKC, I decided to just ask Gemini for a script to do it this time. I iterated on it a few times but the script is here

It ignores anything in the StackHPC org

[gemini-code-assist]

Code Review

This pull request updates the GitHub Actions in the setup and slack-alert workflows to use specific commit SHAs instead of version tags for enhanced security. The review feedback recommends appending the human-readable version tags as comments to the pinned SHAs to improve maintainability and clarity for future updates.

[stackhpc-ci]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Warning: Deprecated attribute

  on repositories.tf line 20, in resource "github_repository" "repositories":
  20:       has_downloads,

The attribute "has_downloads" is deprecated. Refer to the provider
documentation for details.
Success! The configuration is valid, but there were some validation warnings
as shown above.

Terraform Plan 📖success

Show Plan

undefined

Pusher: @Alex-Welsh, Action: pull_request, Working Directory: ``, Workflow: Terraform GitHub

[priteau]

Can the script add the tag as a version, as suggested by Gemini code review?

Also, can you confirm it is using the SHA of the latest published tag, when once is available?

[Alex-Welsh]

Can the script add the tag as a version, as suggested by Gemini code review?

Also, can you confirm it is using the SHA of the latest published tag, when once is available?

Added comments showing which version is being used. The script should pull the commit for the latest published tag, and fall back to the main branch if if it fails