🎨📝 Link SHA pinning encouragement @ README

This article [[1]] describes security flows of using branches and
tags as an end-user. The commit is intended to educate them but not
force doing so if they don't want to.

[1]: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

Author: webknjaz

README.md

@@ -18,7 +18,7 @@ comments in the corresponding [per-release announcement discussions].
 
 The `master` branch version has been sunset. Please, change the GitHub
 Action version you use from `master` to `release/v1` or use an exact
-tag, or a full Git commit SHA.
+tag, or opt-in to [use a full Git commit SHA] and Dependabot.
 
 
 ## Usage
@@ -250,6 +250,9 @@ https://results.pre-commit.ci/latest/github/pypa/gh-action-pypi-publish/unstable
 [pre-commit.ci status badge]:
 https://results.pre-commit.ci/badge/github/pypa/gh-action-pypi-publish/unstable/v1.svg
 
+[use a full Git commit SHA]:
+https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
+
 [per-release announcement discussions]:
 https://github.com/pypa/gh-action-pypi-publish/discussions/categories/announcements