Currently, we use normal versioning, which is more intuitive & looks clearer in logs, but it's also less secure than using direct commit hashes for specifying the version.

blue-build/[email protected]

Specifying direct commit hashes as a version has the advantage that it makes it impossible for the bad actor to override the behavior of the same-versioned action.

blue-build/github-action@33ee8cc4011b0d47666ea7026d08bb5b941ac90c # v1.7.0

Codacy also recommends to do this.

Dependabot updates work with this.

See also:
https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash