dependabot-sha-comment-action VS setup-msys2

Def a real concern.

If anyone is interested to mitigate it yourself, these are helpful :)

https://docs.github.com/en/actions/creating-actions/about-cu...

https://github.com/dependabot/dependabot-core/issues/2835

https://github.com/zgosalvez/github-actions-ensure-sha-pinne...

https://github.com/timmeinerzhagen/dependabot-sha-comment-ac...

Other pages provide complementary information on that same topic.

Another thing I appreciated was the explanation of MSYS2's environments:

https://www.msys2.org/docs/environments/

Being able to painlessly switch away from MSVCRT to UCRT was helpful in solving some UTF-8 difficulties I was experiencing at the time.

Package management with pacman is rather pleasant, and the setup-msys2 GitHub Action makes it simple to provide your GHA workflow with the tools and libs you want:

https://www.msys2.org/docs/package-management/

https://packages.msys2.org/queue

https://github.com/msys2/setup-msys2

> Actions reduce workflow steps by providing reusabe[sic] “code” for common tasks. To run an action, you include the uses keyword pointing to a GitHub repo with the pattern {owner}/{repo}@{ref} or {owner}/{repo}/{path}@{ref} if it’s in a subdirectory. A ref can be a branch, tag, or SHA.

Aside from the typo, I wonder how many packages could be backdoored at once, if an action maintainer went rogue, seeing as there's no pinning for actions by default, and (according to https://github.com/msys2/setup-msys2/blob/main/HACKING.md) moving a tag is the default way to push updates to an action. (Interestingly get-cmake/run-cmake/run-vcpkg are all operated by the same person.)