chore(gh): update release

[tenthirtyam]

Summary of Pull Request

• Correct formatting.
• Pin GitHub Actions to release commit SHA.

Type of Pull Request

• This is a bug fix.
• This is an enhancement or feature.
• This is a code style/formatting update.
• This is a documentation update.
• This is a refactoring update.
• This is a chore update
• This is something else.
  Please describe:

Related to Existing Issues

Test and Documentation Coverage

For bug fixes or features:

• Tests have been completed.
• Documentation has been added/updated.

Breaking Changes?

• Yes, there are breaking changes.
• No, there are no breaking changes.

[ksamoray]

@tenthirtyam what's the advantage of specifying the version in this way? Are you concerned that compatibility will break by GH action changes?

[tenthirtyam]

From the GH docs: "Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork."

[ksamoray]

Yeah I understand that you intend to enforce a specific sub-version of the action. The question is why? As if anyone fixes anything we won't see it. Are you worried about compatibility?

[tenthirtyam]

Using a specific commit SHA when specifying a GitHub Action ensures the workflow runs against a known state of the action. This guarantees reliability, stability, and security by ensuring that the exact code specified is used, even if the version tag is modified later.

Dependabot will then automatically manage open PRs to update actions using the @<commit-sha> #vX.Y.Z format, providing detailed information on the changes in the action’s release.

[tenthirtyam]

@vmware/terraform-provider-nsxt-maintainers: reminder.