Update Versions of GitHub Actions used

[stephengtuggy]

Hi there,

Thanks for the neat library! I wonder if you would be interested in some contributions to the project. Starting with a Pull Request to update the GitHub Actions to the latest versions.

[mangstadt]

Why is there a long hash here? Shouldn't it just be "v4"?

[stephengtuggy]

v4 would also work; however, my understanding is that specifying the full version and SHA is preferable in general, because it is more difficult for a malicious hacker to compromise your code via a compromised version of the GitHub action. See https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Technically, I suppose that since this is an official GitHub action, it doesn't fall under the category of "third-party actions." I've just gotten into the habit of using the full SHA wherever I can. Then I let Dependabot, Renovate Bot, or similar tools suggest updates to my GH Actions when there are updates available.

Let me know if you prefer simply v4 or v4.2.2, and I can update my PR accordingly.

Thanks!

[mangstadt]

Let's just go with the version number, since it's an official GitHub action.

Would "v4" end up using 4.2.2, since it is the latest version of the "4.0" release? I'd like to keep it as simple as possible.

[stephengtuggy]

Yes, v4 will use the latest v4 minor and patch version, so 4.2.2 currently.

OK, I will change it to just v4. Thanks.

[mangstadt]

Why is there a long hash here? Shouldn't it just be "v4"?

[stephengtuggy]

See my response on the other instance of actions/checkout

[mangstadt]

Thanks for the pull request. Please see my comments.

[mangstadt]

Merged, thanks! 👍

[mangstadt]

Uh oh, there's an error. Any chance you could look at this?

https://github.com/mangstadt/ez-vcard/actions/runs/12486445652/job/34846521443

[stephengtuggy]

@mangstadt I took a look at the above error. #154 should fix it.

Thanks!