Is your feature request related to a problem?

Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").

Related OSPO Tool

stale-repos GitHub Action, issues-metrics GitHub Action, automatic-contrib-prs GitHub Action, evergreen GitHub Action, cleanowners GitHub Action, contributors GitHub Action

Describe the solution you'd like

See remediation paths at https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/unpinnable_action.md#remediation

Ideally we would make our actions pinnable, update our docs to encourage that practice, and ensure our CI components are all pinned.

Describe alternatives you've considered

none

Additional context

Found based on running the poutine tool