ci: Checkout after downloading files to prevent poisioning

Signed-off-by: Philippe Coval <[email protected]>

Author: rzr

.github/workflows/test.yml

@@ -46,11 +46,6 @@ jobs:
           rm -rfv "${file}"
           echo "TODO: https://docs.docker.com/engine/security/trust/"
         # yamllint enable rule:line-length
-      # yamllint disable-line rule:line-length
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.workflow_run.head_commit.id }}
 
       - name: Download embedded applications package
         # yamllint disable-line rule:line-length
@@ -78,6 +73,12 @@ jobs:
           && rm z-wave-stack-binaries-*-Linux.tar.gz
           && date -u
 
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.workflow_run.head_commit.id }}
+
       - name: Run
         id: run
         # yamllint disable rule:line-length