[evntdrvn]

it is documented as recommended here fwiw: https://docs.github.com/en/actions/security-for-github-actio...

[sundarurfriend]

And the syntax to do that is to use `foo/bar@commitshagoeshere` as in

    - uses: RafaelGSS/bad-action@e20fd1d81b3f403df56f5f06e2aa9653a6a60763 # v1.0.1

(example from https://blog.rafaelgss.dev/why-you-should-pin-actions-by-com...)

[0rzech]

This. Using tags is acceptable only for official GitHub actions, anything else should be pinned.