DOC: Advocate for using action from tagged release commit shas

* For security best practices, advocate that users of the action use it from known commit shas that correspond to tagged releases. * Advocate that users use a Dependabot config file to update the action on new tags. This will bump the commit sha and also bump the release tag in the comment of the commit sha.
scientific-python · May 31, 2023 · f6c122b · f6c122b
1 parent dbd5a4d
commit f6c122b
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -11,12 +11,25 @@ jobs:
   steps:
     ...
     - name: Upload wheel
-      uses: scientific-python/upload-nightly-action@main
+      uses: scientific-python/upload-nightly-action@8f0394fd2aa0c85d7364a9958652e8994e06b23c # 0.1.0
       with:
         artifacts_path: dist
         anaconda_nightly_upload_token: ${{secrets.UPLOAD_TOKEN}}
 ```
 
+It is recommended that [Dependabot][] is used to keep the GitHub Action updated
+to the latest release by using a `.github/dependabot.yml` config file similar to
+
+```yaml
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+```
+
 To request access to the repository please open an issue on [this action
 repository](https://github.com/scientific-python/upload-nightly-action). You can
 then generate a token at `https://anaconda.org/scientific-python-nightly-wheels/settings/access`
@@ -60,6 +73,6 @@ dependencies:
     - --pre --index-url https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple
     - matplotlib
 ```
-
+[Dependabot]: https://github.com/dependabot
 [nightly package index]: https://anaconda.org/scientific-python-nightly-wheels
 [PyPI]: https://pypi.org/