docs: recommend pinning Action version to a commit SHA for security

Author: unhappychoice

README.md

@@ -61,6 +61,8 @@ Your first report will be live within 5 minutes.
 
 See [Manual Setup](docs/manual-setup.md) if you prefer to configure everything yourself.
 
+> **Security tip:** The setup command uses `@main` in the generated workflow files. For production use, pin the action to a commit SHA and the CLI to a specific version. See [Pinning Versions](docs/customization.md#pinning-versions).
+
 ## Cost
 
 **The entire stack runs at $0/month on a public repository.**

docs/customization.md

@@ -129,13 +129,31 @@ To change the automatic schedule, edit the `cron:` line. GitHub Actions cron use
 
 The daily fetch should run every day. The weekly report should run once a week (typically Monday), after the daily fetch completes.
 
-## Pinning the CLI Version
+## Pinning Versions
 
-By default, workflows use the latest version of the npm package. To pin a specific version for reproducibility, add the `version` input:
+### Action Version
+
+By default, the setup command and manual-setup examples reference the action with `@main`. For better security and reproducibility, pin the action to a specific commit SHA:
+
+```yaml
+# Before (tracks the main branch, picks up any future change automatically):
+- uses: deariary/github-weekly-reporter@main
+
+# After (pinned to a specific commit):
+- uses: deariary/github-weekly-reporter@<full-commit-sha>   # v0.8.5
+```
+
+To find the SHA for a release, visit the [releases page](https://github.com/deariary/github-weekly-reporter/releases) and copy the full commit hash of the tagged commit. Adding a trailing comment with the version tag makes it easy to see which version you are on.
+
+Dependabot and Renovate can automate SHA updates when new versions are released.
+
+### CLI Version
+
+By default, workflows use the latest version of the npm package (`npx github-weekly-reporter@latest`). To pin a specific version, add the `version` input:
 
 ```yaml
 with:
-  version: '0.3.0'
+  version: '0.8.5'
 ```
 
 ## Theme

docs/manual-setup.md

@@ -51,6 +51,8 @@ jobs:
       # repositories. The default GITHUB_TOKEN only has access to the
       # current repository.
       # Add your PAT as a repository secret named GH_PAT (see Step 3).
+      # Tip: pin to a commit SHA instead of @main for better security.
+      # See "Pinning Versions" in docs/customization.md.
       - uses: deariary/github-weekly-reporter@main
         with:
           github-token: ${{ secrets.GH_PAT }}
@@ -86,6 +88,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      # Tip: pin to a commit SHA instead of @main for better security.
+      # See "Pinning Versions" in docs/customization.md.
       - uses: deariary/github-weekly-reporter@main
         with:
           github-token: ${{ secrets.GH_PAT }}