@desrosj This fixes the issue with the deprecated uses of save-state and set-output calls (https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/)

Wouldn't it be better to have something like Dependabot updating these automatically? The hashes are used instead of major versions for security reasons, so ideally the hashes of the new major versions would be used

@swissspidy Yes, that makes sense to me. How would someone know if it is "safe" to update via Dependabot PRs?

A Dependabot PR would just update actions/checkout@v2 references to actions/checkout@v3, or the equivalent commit hash. If you don't trust the commit hash, you can compare the commit hash with the corresponding tag on each repo's releases/tags page, e.g. https://github.com/actions/checkout/releases

Considering that Dependabot is a built-in feature from GitHub, I personally trust its PRs. The question is whether you trust the dependencies themselves, so the same due diligence with code review applies as if one manually submits a PR.

I will close this in favour of #189

Thanks @wpscholar for bringing this up!