[sunnybeetroot]

By commit hash

[bboreham]

It seems to me that pinning to a sha was not sufficient; the Renovate bot was updating actions referenced by sha.

Example: https://github.com/chains-project/maven-lockfile/pull/1111/f...

This appears to be governed by the `pinGitHubActionDigests` helper configured in `renovate.json`.