Description
The original v4.0.0 tag pointed to 3df4ab1. Later the v4.0.0 tag was changed to point to 1e31de5, which isn't a part of any branch on the actions/checkout repository so gives the same scary warning that GitHub gives for commits which aren't a part of a parent repository (ie, security issue):
Warning
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
I know this is true because we pin commit SHAs of our GitHub Actions along with the Dependabot version comment and are now seeing that the commit SHAs don't match their earlier values.
Due to the widespread usage of this action, it's concerning to me to see tags getting rewritten. It's not clear to me if these rewritten tags were on purpose or on accident. Obviously users should be pinning actions to commit SHAs instead of tags but it is likely that many users aren't pinning to commit SHAs.
Even when pinning to a commit SHA, this tag rewrite means users will be receiving concerning pull requests like this one: urllib3/urllib3#3243 and version information in the action won't be updated properly (arguably a bug in Dependabot).
In the future, instead of updating an existing tag can a new tag be created with whatever is the desired fix?