docs: risks of pinning

Author: sam-robson

README.md

@@ -77,6 +77,18 @@ We typically release new minor versions of the CodeQL Action and Bundle when a n
 
 See the full list of GHES release and deprecation dates at [GitHub Enterprise Server releases](https://docs.github.com/en/enterprise-server/admin/all-releases#releases-of-github-enterprise-server).
 
+## Keeping the CodeQL Action up to date
+
+We recommend referencing the CodeQL Action using a major version tag (e.g. `v3`) in your workflow file. This ensures your workflow automatically picks up the latest release within that major version, including bug fixes, new features, and updated CodeQL CLI versions.
+
+**Avoid pinning to a specific commit SHA, patch version tag, or branch name.** Some CodeQL Action features are controlled by server-side flags that may be removed over time. Pinning an old version can cause these features to silently stop working.
+
+```yaml
+- uses: github/codeql-action/init@v3                              # Recommended
+- uses: github/codeql-action/init@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d # Not recommended
+```
+
+
 ## Troubleshooting
 
 Read about [troubleshooting code scanning](https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning).