ci: pin github actions

[Hofer-Julian]

• pin external actions
• for setup-pixi, always use main
• enforce sha also in the future

For motivation see https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised and https://michaelheap.com/pin-your-github-actions/

[ruben-arts]

While I understand the idea, for setup-pixi I would like to use the latest, possibly even like to not pin that one to a version at all now I think about it. We have to be able to trust it.

[Hofer-Julian]

While I understand the idea, for setup-pixi I would like to use the latest, possibly even like to not pin that one to a version at all now I think about it. We have to be able to trust it.

Done

[ReimarBauer]

@Hofer-Julian @ruben-arts This is a recurring task – for all of us. I recently checked whether you already had a solution for automating it. After some research, I discovered

• https://stacklok.com/blog/introducing-frizbee-an-open-source-command-line-utility-to-simplify-securing-github-actions

• https://github.com/stacklok/frizbee

Are you using any other tools? If it’s effective for this task, we might want to include it in conda-forge as well. It might also be worth adding information about it to the documentation for using the actions.

[Hofer-Julian]

I was using https://github.com/mheap/pin-github-action

I'd love to have that in conda-forge. Would you be interested in contributing that @ReimarBauer? I'd be happy to review it then.