ci: Pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	pinDigest	-> 0c45773
actions/checkout	action	pinDigest	-> 0ad4b8f
actions/download-artifact	action	pinDigest	-> 65a9edc
actions/labeler	action	pinDigest	-> 8558fd7
actions/upload-artifact	action	pinDigest	-> 6546280
fsfe/reuse-action	action	pinDigest	-> a46482c
gaurav-nelson/github-action-markdown-link-check	action	pinDigest	-> 5c5dfc0
github/codeql-action	action	pinDigest	-> b7cec75
rojopolis/spellcheck-github-actions	action	pinDigest	-> dbd2f1d

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[cmeister2]

Changes are consistent and as expected

[bagder]

I can't comment/review, I don't know if pinning is to prefer to plain versions.

[cmeister2]

I can't comment/review, I don't know if pinning is to prefer to plain versions.

My understanding is that pinning dependencies is preferred for OpenSSF, which I believe curl is signed up for. It's also better to pin to a hash rather than a tag because tags can be changed on Git.

I don't think it's adding much security but I think it's a best practice that doesn't add much, if any, friction with its use.

[bagder]

It's also better to pin to a hash rather than a tag because tags can be changed on Git.

... and we automatically adapt to the new one by advancing the pin? Or what kind of extra checks are done when the pin is updated?

How often is this changing, do we know? Does it risk becoming a nuisance?

[bagder]

"actions/checkout" is pinned to two different hashes which looks incorrect

[cmeister2]

... and we automatically adapt to the new one by advancing the pin? Or what kind of extra checks are done when the pin is updated?

How often is this changing, do we know? Does it risk becoming a nuisance?

Yes, this auto-advances by advancing the pin. It's not particularly spammy - given we've had this set up on curl-fuzzer for quite a while now and it's raised a handful of updates.

[cmeister2]

"actions/checkout" is pinned to two different hashes which looks incorrect

One is v2 and one is v4 - the update here is being handled by #13632

[bagder]

One is v2 and one is v4

So how does it know it is a pinned version of v2 and v4? Is the added comment in the yaml how it knows?

handled by #13632

can't we just merge that PR into this to reduce clutter?

[cmeister2]

One is v2 and one is v4

So how does it know it is a pinned version of v2 and v4? Is the added comment in the yaml how it knows?

I believe so.

handled by #13632

can't we just merge that PR into this to reduce clutter?

I don't think so. Once every instance of the dependency is on the same version then it becomes much less of a clutter problem.

[bagder]

Let's do this. If it causes too much churn or nuisance we can reconsider later.