chore: add tag=prefix to pinned actions tags

.github/actions/checkout-go/action.yml

@@ -39,7 +39,7 @@ runs:
     #   2. if inputs.ref == ''
     - name: Checkout the repository with user ref
       if: inputs.ref != ''
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4
       with:
         persist-credentials: false
         repository: "${{ inputs.repository }}"
@@ -48,14 +48,14 @@ runs:
 
     - name: Checkout the repository with default ref
       if: inputs.ref == ''
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4
       with:
         fetch-depth: 1
         persist-credentials: false
         repository: "${{ inputs.repository }}"
         token: "${{ inputs.token }}"
 
     - name: Set up Go environment
-      uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
+      uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # tag=v3.2.0
       with:
         go-version: "${{ inputs.go-version }}"

.github/actions/secure-download-artifact/action.yml

@@ -18,7 +18,7 @@ runs:
   using: "composite"
   steps:
     - name: Download the artifact
-      uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
+      uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
       with:
         name: "${{ inputs.name }}"
 

.github/actions/secure-upload-artifact/action.yml

@@ -19,7 +19,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
       with:
         name: "${{ inputs.path }}"
         path: "${{ inputs.path }}"

.github/workflows/builder_go_slsa3.yml

@@ -81,7 +81,7 @@ jobs:
     steps:
       - name: Detect the builder ref
         id: detect
-        uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@ab345b0851aceba69a2ce8f3d2084f6e7d887850 # v1.1.1
+        uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@ab345b0851aceba69a2ce8f3d2084f6e7d887850 # tag=v1.1.1
 
   ###################################################################
   #                                                                 #
@@ -106,7 +106,7 @@ jobs:
           directory: "${{ env.BUILDER_DIR }}/go"
 
       - name: Upload the builder
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: "${{ env.BUILDER_BINARY }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -266,7 +266,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
@@ -298,7 +298,7 @@ jobs:
           sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}"
 
       - name: Release
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
         with:
           files: |
             ${{ needs.build-dry.outputs.go-binary-name }}

.github/workflows/generator_generic_slsa3.yml

@@ -124,7 +124,7 @@ jobs:
           echo "::set-output name=attestation-sha256::$attestation_sha256"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: "${{ steps.sign-prov.outputs.attestation-name }}"
           path: "${{ steps.sign-prov.outputs.attestation-name }}"
@@ -149,7 +149,7 @@ jobs:
           sha256: "${{ needs.generator.outputs.attestation-sha256 }}"
 
       - name: Release
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
         id: release
         with:
           files: |

.github/workflows/pre-submit.units.yml

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 
       - name: setup-go
-        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
+        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # tag=v3.2.0
         with:
           go-version: "1.18"
 

internal/builders/generic/README.md

@@ -109,15 +109,15 @@ jobs:
           echo "::set-output name=hashes::$(sha256sum artifact1 artifact2 | base64 -w0)"
 
       - name: Upload artifact1
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: artifact1
           path: artifact1
           if-no-files-found: error
           retention-days: 5
 
       - name: Upload artifact2
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
           name: artifact2
           path: artifact2
@@ -142,24 +142,24 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Download artifact1
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
         with:
           name: artifact1
 
       - name: Download artifact2
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
         with:
           name: artifact2
 
       - name: Download provenance
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v2.1.0
         with:
           # The provenance step returns an output with the artifact name of
           # our provenance.
           name: ${{needs.provenance.outputs.attestation-name}}
 
       - name: Create release
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
         with:
           files: |
             artifact1

internal/builders/go/README.md

@@ -157,7 +157,7 @@ jobs:
       tree-state: ${{ steps.ldflags.outputs.tree-state }}
     steps:
       - id: checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4
         with:
           fetch-depth: 0
       - id: ldflags