- Using the commit SHA of a released action version is the safest for stability and security.

This is not true for stability in practice: the action often depends on a specific Node version (which may not be supported by the runner at some point) and/or a versioned API that becomes unsupported. I've had better luck with @main.

▲

bloppe a day ago | parent [-]

Depends what you mean by stability. The post is complaining about the lack of lockfiles, and the problem you describe would also be an issue with lockfiles.

	▲	Dylan16807 15 hours ago \| parent [-]
		The underlying problem is that you can't keep using the same version, and one way it fails ruins the workaround for a different failure.