.github/workflows: use @{sha1} for actions

more secure this way. see also https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

point the sha1 to

* labeler@v3
* milestone@main HEAD

Signed-off-by: Kefu Chai <kchai@redhat.com>
(cherry picked from commit 79e8038046092053b0c0b120e0d7ca07a33a1c00)

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index c39b24c732463c0b932a15e750aaa4ab33c05726..c7cce97b6f02750d41b73de245503df437d0f99a 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -5,11 +5,11 @@ jobs:
   pr-triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@main
+      - uses: actions/labeler@9794b1493b6f1fa7b006c5f8635a19c76c98be95
         with:
           sync-labels: ''
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
-      - uses: iyu/actions-milestone@v1
+      - uses: iyu/actions-milestone@9aa2197e1bda6cf71541d1bf6fa4f73edc543991
         with:
           configuration-path: .github/milestone.yml
           repo-token: "${{ secrets.GITHUB_TOKEN }}"