gh workflow assign-pr: pin

[ryanbr]

From; brave@e7e7277 Author; @thypon

Context for fix: https://x.com/ramimacisabird/status/1903068773411631426

[ryanbr]

@gorhill looks okay?

[gorhill]

I am not worried about @actions/checkout, unlike some more obscure actions, and pinning to a specific version is a double edge solution: security fixes past the pinned version would be left out. I prefer to keep the current workflow as is.

[ryanbr]

@thypon thoughts? ^

[ryanbr]

Quoted from @thypon;

• I agree that action/checkout is a minor. softprops/action-gh-release is not an official github action, and is vulnerable to supply chain attacks as much as tj-actions in this case.
• Moreover renovate is able to manage these updates with the following config.

{
  "extends": [
      "config:recommended",
      "helpers:pinGitHubActionDigestsToSemver",
      ":pinDevDependencies"
  ]
}

This will:

• shield against the most supply chain attacks
• make the supply chain reproducible, and not break at these behind the scene bumps

[gorhill]

Ok, so if you can revert the changes to actions/checkout@v4, I will pull the changes for softprops/action-gh-release@v2.

[ryanbr]

Done @gorhill