[cmckn]

I always use commit hashes for action versions. Dependabot handles it, it’s a no brainer.

[Terr_]

> commit hashes

There is some latent concern that most git installations use SHA-1 hashes, as opposed to SHA-256. [0]

Also the trick of creating a branch that happens to be named the same as a revision, which then takes precedence for certain commands.

[0] https://git-scm.com/docs/hash-function-transition

[password4321]

creating a branch that happens to be named the same as a revision, which then takes precedence for certain commands

TIL; yikes! (and thanks)

[Terr_]

A signed commit [0] might be good for internal devops stuff (e.g. "yes, we really do want this version in production") but unfortunately that's not gonna work for pulling in third-party tooling, since most won't use it.

[0]https://git-scm.com/book/ms/v2/Git-Tools-Signing-Your-Work