From 2a939dd49bdb1e0d1c38d33980bcb39186f8e076 Mon Sep 17 00:00:00 2001
From: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Date: Thu, 13 Jul 2023 16:44:47 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=8E=A8=F0=9F=93=9D=20Link=20SHA=20pinning?=
 =?UTF-8?q?=20encouragement=20@=20README?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 302717e..59a5921 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ comments in the corresponding [per-release announcement discussions].
 
 The `master` branch version has been sunset. Please, change the GitHub
 Action version you use from `master` to `release/v1` or use an exact
-tag, or a full Git commit SHA.
+tag, or opt-in to [use a full Git commit SHA] and Dependabot.
 
 
 ## Usage
@@ -250,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable
 [pre-commit.ci status badge]:
 https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
 
+[use a full Git commit SHA]:
+https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
+
 [per-release announcement discussions]:
 https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements