I recently read <a href="https://julienrenaux.fr/2019/12/20/github-actions-security-risk/" rel="nofollow">https://julienrenaux.fr/2019/12/20/github-actions-security-r...</a> which reminds us that depending on external GitHub Actions is risky as branch and tag refs are mutable<p>> Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.<p>Instead of updating to use a SHA everywhere, I wrote a tool to do it for you, making a note of the original version (e.g. @master).<p>This allows you to run the tool in the future and have the sha updated to the most recent version whilst still pinning to a specific commit.