Fyi you can add zizmor that warns about things like this and add a repo config that futures shas so that a mistake can't happen in the future (but not sure if you can have the setting globally)
nice, gonna run that on the repo tonight. the manual sha pinning approach was always going to be the kind of thing i'd forget after the next dependabot bump