Pin GitHub actions to commit SHAs

[sbueringer]

It would be great if we can pin our GitHub actions to specific commits instead of just to tags.

Recently a feature was added to dependabot (link) which makes it possible to bump actions even if they are referencing commit SHAs.

I would suggest to use the following format:

   - uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # tag=v2.1.0

Notes:

• We should be able to get the commit SHA's by simply taking them from the tags/releases that we currently use.

/kind feature

[sbueringer]

/triage accepted

/help

[k8s-ci-robot]

@sbueringer:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/triage accepted

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[LuBingtan]

Hi, I'd like to open a PR for this issue
/assign

[LuBingtan]

#7502 PTAL 😄
Thanks!

[sbueringer]

Thx!

Thx to @naveensrinivasan as well for bringing this up initially via #6341