Description

I would like to suggest another security practice recommended by the OpenSSF Scorecard which is to hash pin dependencies to prevent dependency-confusion and typosquatting attacks.

The change would only be applied to GitHub workflows, dockerfiles and shell scripts dependencies. The cfg-if case would only need changes on the GitHub workflow main.yml

This means:

• Hash pinning GitHub Workflow actions.

Together with the issue I'll also suggest the PR with changes since they are quite simple. I'll also suggest adding github-action for dependabot to update since it is able to update both the hash and the comment version related to it.

Any questions or concerns just let me know.
Thanks!

Additional Context

For more informations about dependency confusion / typosquatting attacks:

• Detection of malicious packages
• Counter dependency confusion (aka substitution) attacks

For more informations about the dependency-update tools:

• Dependabot
• Renovatebot