Verify SHA belongs to released version

[assignUser]

On top of that that makes it quite hard if the pinned hash actually corresponds to an actual released version of the action which could lead to the case where somebody might getting a commit hash approved that is not actually a released version. I would certainly add version comment for each action and add a validation to see if it really corresponds to the tag.

@netomi in slack

[pjfanning]

I would argue that we should at least have a comment for each SHA naming the related version. One format I would suggest is that the comment is a link like this.
https://github.com/manusa/actions-setup-minikube/releases/tag/v2.14.0

This link shows the version tag and the SHA hash for the related git commit (and that is the SHA that will be appearing in our yml file).

[raboof]

sounds like a good start. not sure it needs the full url or just the tag, as the repo can be derived from the action specification.

as a next step it could perhaps even be a non-comment field so the tooling can validate the hash indeed (currently) corresponds to that tag? or would the generic GHA tooling reject such an 'unknown' field?