ci: use sha pinning to mitigate (#50)

* ci: use sha pinning to mitigate

Lower risk about supply chain attack even though matched tag was compromised.

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

* ci: workaround bundler-cache: true installation failure

It will fix:

  Installing Bundler Ruby 2.3.2 - 2.5 only works with Bundler 2.3
  /opt/hostedtoolcache/Ruby/2.5.0/x64/bin/gem install bundler -v ~>
  2.3.0 Successfully installed bundler-2.3.27 1 gem installed Took
  14.36 seconds > bundle install Setting BUNDLER_VERSION=2.3 for
  "bundle config|lock" commands below to ensure Bundler 2.3 is used
  /opt/hostedtoolcache/Ruby/2.5.0/x64/bin/bundle config set --local
  path
  /home/runner/work/fluent-plugin-formatter-protobuf/fluent-plugin-formatter-protobuf/vendor/bundle
  /opt/hostedtoolcache/Ruby/2.5.0/x64/lib/ruby/2.5.0/rubygems.rb:289:in
  `find_spec_for_exe': can't find gem bundler (>= 0.a) with executable
  bundle (Gem::GemNotFoundException) from
  /opt/hostedtoolcache/Ruby/2.5.0/x64/lib/ruby/2.5.0/rubygems.rb:308:in
  `activate_bin_path' from
  /opt/hostedtoolcache/Ruby/2.5.0/x64/bin/bundle:23:in `<main>'

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

---------

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

Author: kenhys

.github/workflows/build-and-test.yml

@@ -13,11 +13,13 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Ruby 2.5
-        uses: ruby/setup-ruby@v1
-        with:
-          bundler-cache: true
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
+      - name: Install bundler explicitly for Ruby 2.5
+        run: |
+          gem install bundler -v 2.3.27
+          bundle _2.3.27_ install
       - name: "Linting"
         run: "bundle exec rake lint:check"
 
@@ -36,9 +38,9 @@ jobs:
           - '2.6'
           - '2.5'
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}
@@ -61,9 +63,9 @@ jobs:
           - '2.5'
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby-version }}

.github/workflows/codeql-analysis.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

.github/workflows/release-please.yml

@@ -15,10 +15,10 @@ jobs:
           release-type: ruby
           version-file: "lib/fluent/plugin/version.rb"
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd # v1.288.0
         with:
           bundler-cache: true
           ruby-version: '2.5'