lock down version of reviewdog

[michaelglass]

Right now, there's a potential security vulnerability where a rogue commit to the reviewdog library would yield access to my whole codebase.

Is it possible to lock down the reviewdog ref in script.sh to avoid this?

(affects most reviewdog actions, but as brakeman is security-focused, I wanted to start here).

[javierjulio]

The reviewdog version is already an environment variable so to expose it as an input would be trivial. It could work just like the brakeman version input, where the blank default just implies using the hard coded default. Not sure if we want to implement this though since while the version could be changed the action may not support it.