[mod] ci: strict(er) exec (#5099)

All actions are pulled using the version hash, versions are handled by
dependabot, and we'll have control over which actions get updated.

Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the
images there, and the action will keep us in sync about the problems on GHCS
dashboard.

1 files changed, 3 insertions, 3 deletions

diff --git a/.github/workflows/checker.yml b/.github/workflows/checker.yml
index 8e16aeef9..5b71cd5a7 100644
--- a/.github/workflows/checker.yml
+++ b/.github/workflows/checker.yml
@@ -24,17 +24,17 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
           python-version: "${{ env.PYTHON_VERSION }}"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: "false"
 
       - name: Setup cache Python
-        uses: actions/cache@v4
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809  # v4.2.4
         with:
           key: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-${{ hashFiles('./requirements*.txt') }}"
           restore-keys: "python-${{ env.PYTHON_VERSION }}-${{ runner.arch }}-"