tools: use hashes instead of tags for external actions (#43284)

Using tags is a security risk, as they can be updated to point to
anything else.

Refs: nodejs/corepack#117 (comment)

PR-URL: #43284
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>

Author: aduh95

.github/workflows/authors.yml

@@ -16,7 +16,9 @@ jobs:
           fetch-depth: '0'  # This is required to actually get all the authors
           persist-credentials: false
       - run: tools/update-authors.mjs  # Run the AUTHORS tool
-      - uses: gr2m/create-or-update-pull-request-action@v1  # Create a PR or update the Action's existing PR
+      - uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
+        # Creates a PR or update the Action's existing PR, or
+        # no-op if the base branch is already up-to-date.
         env:
           GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
         with:

.github/workflows/find-inactive-collaborators.yml

@@ -30,7 +30,9 @@ jobs:
         run: tools/find-inactive-collaborators.mjs
 
       - name: Open pull request
-        uses: gr2m/create-or-update-pull-request-action@v1
+      - uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
+        # Creates a PR or update the Action's existing PR, or
+        # no-op if the base branch is already up-to-date.
         env:
           GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
         with:

.github/workflows/find-inactive-tsc.yml

@@ -39,7 +39,9 @@ jobs:
         run: tools/find-inactive-tsc.mjs >> $GITHUB_ENV
 
       - name: Open pull request
-        uses: gr2m/create-or-update-pull-request-action@v1
+      - uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
+        # Creates a PR or update the Action's existing PR, or
+        # no-op if the base branch is already up-to-date.
         env:
           GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
         with:

.github/workflows/license-builder.yml

@@ -15,7 +15,9 @@ jobs:
         with:
           persist-credentials: false
       - run: ./tools/license-builder.sh  # Run the license builder tool
-      - uses: gr2m/create-or-update-pull-request-action@v1.x  # Create a PR or update the Action's existing PR
+      - uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
+        # Creates a PR or update the Action's existing PR, or
+        # no-op if the base branch is already up-to-date.
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/linters.yml

@@ -164,7 +164,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           persist-credentials: false
-      - uses: mszostok/codeowners-validator@v0.6.0
+      - uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
         with:
           checks: files,duppatterns
   lint-pr-url:

.github/workflows/notify-force-push.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@master
+        uses: rtCamp/action-slack-notify@12e36fc18b0689399306c2e0b3e0f2978b7f1ee7
         env:
           SLACK_COLOR: '#DE512A'
           SLACK_ICON: https://github.com/nodejs.png?size=48

.github/workflows/tools.yml

@@ -80,7 +80,9 @@ jobs:
         with:
           persist-credentials: false
       - run: ${{ matrix.run }}
-      - uses: gr2m/create-or-update-pull-request-action@v1  # Create a PR or update the Action's existing PR
+      - uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
+        # Creates a PR or update the Action's existing PR, or
+        # no-op if the base branch is already up-to-date.
         env:
           GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
         with: