Pin DeterminateSystems/nix-installer-action to SHA (#32)

GitHub recommends pinning 3rd party actions for security and reproducibility. This should be a familiar idea for folks who've worked with Nix. 😄 https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions For now, I've excluded dependencies from `actions/` as these are "2nd party" actions, developed and published by GitHub. We have higher trust that GitHub published actions won't spuriously force push tag values, resulting in non deterministic runtime behavior. If you'd like to pin all dependencies, let me know and I'll update this to include everything. This will result in a higher sustaining burden, as Dependabot (#31) will generate many more updates for pinned `actions/` actions.
jetify-com · Feb 6, 2024 · a156336 · a156336
1 parent 4a7f1d5
commit a156336
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/action.yml b/action.yml
@@ -127,7 +127,7 @@ runs:
 
     - name: Install nix
       if: inputs.skip-nix-installation == 'false'
-      uses: DeterminateSystems/nix-installer-action@v4
+      uses: DeterminateSystems/nix-installer-action@65d7c888b2778e8cf30a07a88422ccb23499bfb8  # v4
       with:
         logger: pretty
         extra-conf: experimental-features = ca-derivations fetch-closure