Hi!

I'd like to know if you are interested in a PR to update your GitHub workflows to refer to external actions by their SHAs. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits. It's a recommendation from GitHub itself and from security tools like Scorecard.

Although it's more reliable and secure, a clear downsize of this change is the difficulty of maintenance, and that is why at this same Jira ticket I'd like to ask if you have considered using an Dependency Update tool, such as Dependabot or Renovatebot.

Those Dependency Update tools might be useful to help manage the Java dependencies of SLF4J, but also have an an extra security impact because they would always highlight  security patches from dependencies, once their available. Additionally, they're specially handy because they automatically update the SHAs of the GitHub Actions, also making sure to leave the human-readable version as a comment =) .

Let me know what you think of those ideas, I'll be happy to help achieve them.

Additional Context

I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊