From 74be6d36c625a504c611c89527779efcbeae6911 Mon Sep 17 00:00:00 2001
From: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Date: Tue, 24 Sep 2019 23:03:49 +0200
Subject: [PATCH] Add a README recommendation to pin action versions

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index d520d69..69b3f73 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,11 @@ To use the action add the following step to your workflow file (e.g.
     password: ${{ secrets.pypi_password }}
 ```
 
+> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
+Actions that you use to tagged versions or sha1 commit identifiers. This will
+make your workflows more secure and better reproducible, saving you from sudden
+and unpleasant surprises.
+
 A common use case is to upload packages only on a tagged commit, to do so add a
 filter to the step: