From 216aaef29a219a0bb3708d48797a2cf0db21e28a Mon Sep 17 00:00:00 2001
From: Sascha Mann <git@mail.saschamann.eu>
Date: Thu, 18 Jan 2024 16:21:26 +0100
Subject: [PATCH] Pin third party action to hash (#106)

Third party actions should never not be pinned to a hash. Otherwise, in case the action repo is taken over by a malicious actor, they can change what runs in all of the workflows that julia-actions/cache is used in as well. Pinning to a hash prevents that.
---
 action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 43b3af2..e4c7b01 100644
--- a/action.yml
+++ b/action.yml
@@ -52,7 +52,7 @@ runs:
   using: 'composite'
   steps:
     - name: Install jq
-      uses: dcarbone/install-jq-action@v2.1.0
+      uses: dcarbone/install-jq-action@8867ddb4788346d7c22b72ea2e2ffe4d514c7bcb
       with:
         force: false  # Skip install when an existing `jq` is present