@bartdorlandt, thank you for putting in the time to recommend a fix for the problem you experienced.

However, it was kinda done on purpose. It's not easy for me to provide an example for a project I don't control (ie keep it up to date with the latest version). I could put a note but I figured people would not blindly copy the example without understanding versions of GitHub Actions.

I do not recommend changing to @release/v1 as that is a branch name within the repository which updates without notification. I expected people to change to an actual tag version v1.X.X which in theory does not change unless dependabot (or renovate) notifies you. Sometimes repos provide a "rolling" tag that allows for the v1 and it moves silently as well but that also has similar problems. As I knew this action didn't, I knew people would be forced to set it to the latest version.

From a security standpoint, you should actually identify each action to a commit sha as we just learned with the supply chain attack facilitated by tj-actions/changed-files.

All in all, the example could be changed to better inform folks to set it up with the considerations above but I don't want to change it to a branch reference. If you want to give it another go based on this feedback then I'll consider the next recommendation.

Changed with PR #1229 to recommend SHA_HASH with a comment of which version it is. This change now is obsolete but still was accomplished to be more clear that end users must make the configuration work for the latest version they want to use. It is not sustainable to have the PSR team keep the example versions up-to-date.