please add a sigstore/cosign-installer action #524
Description
Several repos use this action: nami, source-integrity-demo, maxcve, auto-deploy-demo, chainguard-migration-demo, and ynad. They had or are using the mutable tags @main, @v3.2.0, and @v3.7.0.
ProdSec is onboard with using mutable tags (e.g., @main) when referencing actions in Chainguard's org/actions repos. Otherwise we would like to see full-length commit SHA pinning to avoid a future tj-actions like attack (https://github.com/chainguard-dev/prodsec/issues/60). If other Chainguard repos are only allowed to use mutable tags to reference org/actions and org/actions always pins external actions, we are not taking on any more risk than those other Chainguard repos pinning to the external repo directly.
By centralizing this pinning, updates can be rolled out in lockstep and we lower dependabot and security maintenance.