Convert GitHub Actions that are using immutable version tags and that are pinned to SHA's to the semver value

[jeffwidman]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

GitHub is working on shipping immutable version tags for GitHub actions.

Historically the security recommendation has been to not pin directly to a semver tag but rather to a SHA, and then put the version in the code comment:

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

However, for actions that are using immutable version tags, it's now safe to pin directly to the semver version:

uses: actions/checkout@v4.2.2

It'd be great if started suggesting updates that automagically handled this migration. I don't think it'd be that hard for us either, as we already map from SHA back to the semver tag... so all we'd need to do is identify whether the semver tag is an immutable action or not.

To minimize confusion, we may need to somehow indicate to users "yes, this action is using immutable actions, it's safe to pin them directly to semver".