For actions that are pinned-by-hash, bump the human readable version number in the code comment

[ChrisCarini]

Hello!

As good security practice and guided by the code scanning alert for 'Pinned-Dependencies' from the ossf/scorecard project, users are encouraged to pin GitHub workflow actions by hash. The example provided by the scorecard repoincludes a comment following the action+pinned-hash, example below:

     - name: Clone the code
       uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4

Subsequent updates by dependabot do not bump the version in the comment, leading to confusion and incorrect information. An example of this can be found here: ChrisCarini/environment-variable-settings-summary-intellij-plugin#36

Below is a before & after example of the above linked PR

Before

After

Summary

Dependabot updated ossf/scorecard-action from version v1.0.1 to v1.0.2.

In the "Before", the hash was updated correctly, however the trailing comment with the tag version, was not.

Hash	Tag Version
e3e75cf2ffbf9364bbff86cdbdf52b23176fe492	v1.0.1
c8416b0b2bf627c349ca92fc8e3de51a64b005cf	v1.0.2

I believe this change would help GitHub workflow owners to have a better security posture w.r.t. using hash-pinned GitHugb action dependencies, while also having improved ergonomics to be able to quickly verify they are on the correct version.

This idea shares similar sentiment of #3699

(I would consider trying to make a code change for this, however I lack expertise in Ruby and have thus far struggled to get the project opened for development.)

[jeffwidman]

I think this is a great idea and we'd happily merge a PR if anyone wants to take a crack at it. Looking at the relevant code, I don't think it'd be that hard to implement.

A few design notes:

1. Another comment format we should support (from Update version comment when hashes are updated in pull requests #5314) is # pin @v2.4.0. Other variations are probably # @v2.4.0 etc. Or we could simply pick one and go with it... I doubt most users would complain after the initial migration.
2. Probably we should only bump this pin if it's present... although a part of me wonders if always appending it to SHAs might be both more useful and easier to implement/maintain??
3. It should only be modified if the actual version is a SHA... that avoids accidentally bumping random other comments if the actual version is already human readable.

[lucacome]

I want to pin the dependencies in our repos, but I'm kinda waiting for this feature to be implemented. It will make it much easier to maintain.

I was looking into StepSecurity to do the first pass in all the workflows and found step-security/secure-repo#1087. They removed the tag comment because dependabot doesn't support updating it.

I also wanted to point out that the OpenSSF action uses yet another format for the comment when you create their workflow

  - name: "Checkout code"
    uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0

not sure how popular this is...I think # v3.0.0 is more than enough and I'd be okay with dependabot overwriting the comment when updating the dependency.