Add Tags Security Notice

smashedr · smashedr · commit 1ed90a0a6695 · 2025-09-14T12:54:54.000-07:00
diff --git a/.vitepress/theme/custom.css b/.vitepress/theme/custom.css
@@ -1,6 +1,7 @@
 :root {
     --vp-home-hero-name-color: transparent;
     --vp-home-hero-name-background: -webkit-linear-gradient(120deg, #1d63ed 30%, #b3d4f3);
+
     --vp-home-hero-image-background-image: linear-gradient(
         0deg,
         rgba(29, 99, 237, 0.7),
diff --git a/docs/guides/features.md b/docs/guides/features.md
@@ -87,3 +87,17 @@ You can view the release notes for each version on the [releases](https://github
 
 The **Major** tag is recommended. It is the most up-to-date and always backwards compatible.
 Breaking changes would result in a **Major** version bump. At a minimum you should use a **Minor** tag.
+
+### Tags Security Notice
+
+As shown above, tags are mutable; however, **commit hashes are not**. Therefore,
+if security is your top priority, you should pin your actions to a specific commit hash.
+
+- [GitHub Documentation](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions)
+- [Article by StepSecurity](https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide)
+
+&nbsp;
+
+::: tip Action Comparison
+There is also an [Action Comparison](resources.md#action-comparison) on the [Resources](resources.md) guide.
+:::
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     "postinstall": "npm run get-contributors"
   },
   "dependencies": {
-    "@cssnr/vitepress-plugin-contributors": "^0.0.2",
+    "@cssnr/vitepress-plugin-contributors": "^0.0.3",
     "vitepress": "^1.6.4",
     "vitepress-plugin-group-icons": "^1.6.3"
   },
