Pinned action by SHA and included the URL for verification

[naveensrinivasan]

This is instead of this PR #6984

It was hard to rebase so opening a new one.

Specifically addressed this comment in this PR to include links to GitHub tags/commits in the comments to validate and test it.

#6984 (comment)

Motivation

• Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
• Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Also, dependabot supports upgrading based on SHA.

Signed-off-by: naveensrinivasan [email protected]

Have you read the Contributing Guidelines on pull requests?

Test Plan

Related PRs

[Josh-Cena]

Closing because of #6984 (comment)

[netlify]

✅ [V2]

Built without sensitive environment variables

Name	Link
🔨 Latest commit	7017d86
🔍 Latest deploy log	https://app.netlify.com/sites/docusaurus-2/deploys/623ff0fd5d0a160009115365
😎 Deploy Preview	https://deploy-preview-7028--docusaurus-2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[github-actions]

⚡️ Lighthouse report for the changes in this PR:

Category	Score
🟠 Performance	53
🟢 Accessibility	100
🟢 Best practices	92
🟢 SEO	100
🟢 PWA	90

Lighthouse ran on https://deploy-preview-7028--docusaurus-2.netlify.app/