Consider not advocating using action from `main`

[matthewfeickert]

At the moment the v0.1.0 docs advocate that users use the action from main and not from a specific tag.

upload-nightly-action/README.md

Lines 10 to 17 in 80af44f

	jobs:
	steps:
	...
	- name: Upload wheel
	uses: scientific-python/upload-nightly-action@main
	with:
	artifacts_path: dist
	anaconda_nightly_upload_token: ${{secrets.UPLOAD_TOKEN}}

This seems like a security issue that should be avoided and that @webknjaz has discussed before for https://github.com/pypa/gh-action-pypi-publish.

A more secure option is to advocate that users use release tags and dependabot to check for updates to the GitHub Actions that they use and then consider from the PR if the update in the tag is something they are ready to accept. Example .github/dependabot.yml (taken from Scikit-HEP developer recommendations (thanks @henryiii!)):

version: 2
updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

[webknjaz]

FWIW the safest way is to pin commit hashes. Dependabot knows how to bump them for as long as they are tagged..

[henryiii]

(And can add a comment with the tag name)

[matthewfeickert]

@henryiii that's neat — I didn't know that. Do you have an example you can share that I can look at for reference?

[henryiii]

dependabot/dependabot-core#4691 (comment)