Description

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.

Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.

Analyzing node.js.yml and codeql-analysis.yml, the workflows use actions such as actions/checkout@v3 and actions/cache@v3. All actions are referenced by tags. To prevent the attacks mentioned above, it would be good to change the tag references to commit SHAs. If you agree, I can open a PR.

Additional Context

Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)