Write summary of when to and when not to pin actions to hash level

[matthewfeickert]

We pin everything to hashes in here, please do so with this one, too.

_Originally posted by @bsipocz in https://github.com/scientific-python/upload-nightly-action/pull/101#discussion_r1781756288_

I was decently vocal about wanting stringent locking of things inside of Linux containers and for the upload-nightly-action in PR https://github.com/scientific-python/upload-nightly-action/pull/13, but I am less convinced that trying to pin every GitHub Action to the hash level is a useful or even good idea (there are some that you definitely do want to pin, but I don't think this applies to all).

I should write a more comprehensive overview of what I'm thinking here when it is a more reasonable time of day, but the core point is that (as @henryiii describes in https://github.com/davidism/gha-update/issues/3#issuecomment-2330525577) GitHub Actions is not a static platform like Travis CI tried to be, and pinning everything at the hash level when the underlying runner operating system floats with no user control is arguably worse (in that it can lead to breakages) than having different levels of tolerance for GitHub Action versions depending on the action.

I'm hoping that other people have thought more on this than I have though, so it would be great to get everyone's thoughts, examples of thing working given choices, and (most educational for me) examples of things breaking because of choices.

[bsipocz]

I know Henry's arguments, and I don't disagree with them, especially about the official github actions, but also, in practice haven't run into a situation where pinning was a problem, and IMO consistency within the same file is not a bad approach (re the original comment where only the third party, pixi action wasn't pinned to a hash)