[mheap]

I recently read https://julienrenaux.fr/2019/12/20/github-actions-security-r... which reminds us that depending on external GitHub Actions is risky as branch and tag refs are mutable

> Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.

Instead of updating to use a SHA everywhere, I wrote a tool to do it for you, making a note of the original version (e.g. @master).

This allows you to run the tool in the future and have the sha updated to the most recent version whilst still pinning to a specific commit.