Pin third party actions

[blink1073]

Verified commits:

googleapis/release-please-action@a02a34c
ruby/setup-ruby@dffc446
rubygems/release-gem@a25424b
aws-actions/configure-aws-credentials@e3dd6a4
aws-actions/aws-secretsmanager-get-secrets@5e19ff3

[alcaeus]

Sorry I missed this PR. What's the reason for pinning these actions? This would also prevent dependabot from submitting updates for actions, as it can't handle actions that are pinned to a specific commit.

[blink1073]

It is considered best practice by GitHub and Zizmor, and is documented to work with dependabot:

"Pin actions to a full length commit SHA"

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

"For each action in the file, Dependabot checks the action's reference (typically a version number or commit identifier associated with the action) against the latest version"

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#about-dependabot-version-updates-for-actions

[alcaeus]

Thank you for the clarification, LGTM.

I recently checked support for Dependabot updates on actions with a commit hash and was under the impression that it doesn't work - let's see if updates work correctly.