top | item 46190582

(no title)

- Using the commit SHA of a released action version is the safest for stability and security.

This is not true for stability in practice: the action often depends on a specific Node version (which may not be supported by the runner at some point) and/or a versioned API that becomes unsupported. I've had better luck with @main.

discuss

bloppe|2 months ago

Depends what you mean by stability. The post is complaining about the lack of lockfiles, and the problem you describe would also be an issue with lockfiles.

Dylan16807|2 months ago

The underlying problem is that you can't keep using the same version, and one way it fails ruins the workaround for a different failure.