Hi again, I'd like to suggest another security practice that helps increasing CI stability and prevent tag renaming attack.

This practice is recommended by both the OpenSSF Scorecard and the github security hardening.

It is really important to ensure privileged actions and/or third-party actions are always hash-pinned.

Considering dependabot grouping PRs, it is now much more easier to ensure keeping actions immutable, but still up to date.

Any concerns or questions about it, let me know!
Thanks.

Additional Context

A tag renaming attack is a type of attack whereby an attacker:

• Hijack an action.
• Upload a malicious version.
• Replace existing tags with malicious versions.