Add a README recommendation to pin action versions

This commit is contained in:
Sviatoslav Sydorenko 2019-09-24 23:03:49 +02:00
parent 9cebe9a0ed
commit 74be6d36c6
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG key ID: 9345E8FEA89CA455

View file

@ -18,6 +18,11 @@ To use the action add the following step to your workflow file (e.g.
password: ${{ secrets.pypi_password }}
```
> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
Actions that you use to tagged versions or sha1 commit identifiers. This will
make your workflows more secure and better reproducible, saving you from sudden
and unpleasant surprises.
A common use case is to upload packages only on a tagged commit, to do so add a
filter to the step: