chore(deps): pin dependencies

.github/workflows/main.yml

@@ -23,8 +23,8 @@ jobs:
           - 27017:27017
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
       with:
         python-version: '3.10'
     - name: Install dependencies (with all extras)
@@ -41,8 +41,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
       with:
         python-version: '3.10.11'
     - name: Install dependencies (with all extras)
@@ -60,13 +60,13 @@ jobs:
     outputs:
       should_publish: ${{ steps.check.outputs.result }} 
     steps:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3
       with:
         node-version: 14
     - run: npm install [email protected]
     - name: Ensure tag for version bump
       id: check
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
       with:
         script: |
           const toml = require('toml')
@@ -137,8 +137,8 @@ jobs:
     # NB: outputs are always strings; explicitly parse to get a boolean
     if: ${{ fromJSON(needs.check_version.outputs.should_publish) }}
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v4
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+    - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
       with:
         python-version: '3.10'
     - name: Install poetry