Add a README recommendation to pin action versions

This commit is contained in:
Sviatoslav Sydorenko 2019-09-24 23:03:49 +02:00
parent 9cebe9a0ed
commit 74be6d36c6
No known key found for this signature in database
GPG Key ID: 9345E8FEA89CA455
1 changed files with 5 additions and 0 deletions

View File

@ -18,6 +18,11 @@ To use the action add the following step to your workflow file (e.g.
password: ${{ secrets.pypi_password }}
```
> **Pro tip**: instead of using branch pointers, like `master`, pin versions of
Actions that you use to tagged versions or sha1 commit identifiers. This will
make your workflows more secure and better reproducible, saving you from sudden
and unpleasant surprises.
A common use case is to upload packages only on a tagged commit, to do so add a
filter to the step: