Pin GitHub Actions at specific tags and commits (#2748)

* Pin 3rd party action

* Pin GitHub-maintained actions to tag

* Bump Bundlewatch Node.js to v14 LTS

I have no clue what my thought process was when creating this workflow
initially. Thrown this in here as it's a minor change and it's silly to
make a PR just to update this number, in my opinion.

framework/core/.github/workflows/build.yml

@@ -7,10 +7,14 @@ on:
 
 jobs:
   build:
+    name: JS / Build
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@master
-      - uses: flarum/action-build@master
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build production JS
+        uses: flarum/action-build@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

framework/core/.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@master
+        uses: actions/checkout@v2
 
       - name: Set up Node
         uses: actions/setup-node@v2

framework/core/.github/workflows/pr_size_change.yml

@@ -17,12 +17,13 @@ jobs:
     name: Bundlewatch
 
     steps:
-      - uses: actions/checkout@master
+      - name: Check out code
+        uses: actions/checkout@v2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v2
         with:
-          node-version: "12"
+          node-version: "14"
 
       - name: Install JS dependencies
         run: npm ci

framework/core/.github/workflows/test.yml

@@ -43,10 +43,11 @@ jobs:
     name: 'PHP ${{ matrix.php }} / ${{ matrix.db }} ${{ matrix.prefixStr }}'
 
     steps:
-      - uses: actions/checkout@master
+      - name: Check out code
+        uses: actions/checkout@v2
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@0b9d33cd0782337377999751fc10ea079fdd7104 # pin@v2
         with:
           php-version: ${{ matrix.php }}
           coverage: xdebug