Detect actions that are pinned to master/main

[jmeickle-theaiinstitute]

I updated actionlint to the v1.7.1 which caught a stray actions/checkout@v2 in the codebase, which is awesome.

However, it didn't catch another instance where someone had pinned to actions/checkout@master.

Due to the possibility of pulling in a new major version or even a broken commit, my expectation is that pinning any action to master or main would default to being an actionlint failure. I'd expect this to require an explicit ignore to be accepted.

[leighmcculloch]

It'd be helpful if actionlint identified the uses of non-sha refs in third party actions, which is a security hardening best practice:

• https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

It could automatically allow actions/checkout@vN, and optionally actions from configured orgs assuming an org may want to reference their own checks with branches/tags, but not other third parties.