fix(ci): Prevent poisoning of sources by relocating checkout

Origin: SiliconLabsSoftware#122
Relate-to: Z-Wave-Alliance/OSWG#48 (comment)
Relate-to: SiliconLabsSoftware#67
Relate-to: https://github.com/rzr/z-wave-protocol-controller/security/code-scanning/1
Relate-to: https://cwe.mitre.org/data/definitions/829.html
Relate-to: SiliconLabsSoftware#100
Signed-off-by: Philippe Coval <[email protected]>

Author: rzr

.github/workflows/test.yml

@@ -46,10 +46,6 @@ jobs:
           echo "TODO: https://docs.docker.com/engine/security/trust/"
         # yamllint enable rule:line-length
       # yamllint disable-line rule:line-length
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.workflow_run.head_commit.id }}
 
       - name: Download embedded applications package
         # yamllint disable-line rule:line-length
@@ -77,6 +73,12 @@ jobs:
           && rm z-wave-stack-binaries-*-Linux.tar.gz
           && date -u
 
+      - name: Download tests files
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.workflow_run.head_commit.id }}
+
       - name: Run
         id: run
         # yamllint disable rule:line-length