The GitHub workflow files of Guava currently refer to action versions by commit hash, for example:

While this is good from a security perspective, it makes it difficult at a glance to see which version number (such as "v1.2.3") of that action is used.

What do you think about adding version comments, such as # v1.2.3, behind the commit hashes? It seems Dependabot will automatically update those comments.

Thanks, adding them should be fine. I dropped them when I switched to hashes because it was ever so slightly easier and because it's not as if there is a runtime check that verifies that the comment is actually accurate. Now, I don't think that the latter is a practical concern because the values are always generated by Dependabot, which we trust. On the other hand, probably nothing we do here is of great practical significance because... we trust Dependabot to update as as soon as a problem is identified (and/or for security advisories to recognize the vulnerable version by its hash, I hope, or at least I hope that it doesn't trust the comment!).