GitHub Actions should be referenced by a SHA and to keep them updated this SHA should be a GitHub release so Dep[endabot can see the changes. If I want to use the latest version of this action I either need to use main and accept an insecure solution or I can use 210248e8ae1ae1550aa6e232c6f192b3ccbf7335 but not get updates from Dependabot.