Using `@v1` should not be recommended (absent immutable versions)

[jsoref]

toolkit/docs/action-versioning.md

Line 9 in 1b1e815

- uses: actions/javascript-action@v1 # recommended. starter workflows use this

This contradicts:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

You can help mitigate this risk by following these good practices:

Pin actions to a full length commit SHA