JasonN3
commented
3 months ago The documentation says it will be sha-sha, so that won't match the expected value. I'm kinda surprised GitHub recommends pinning to a commit sha but doesn't offer an easy way to reference the tag/branch and commit at the same time like how docker images can be referenced as tag@sha so the tag gets used but the sha verifies you're using the one you want. Also, referencing the action using the commit will only ensure you're using the action.yml you expect. It will not do anything to ensure you're using the expected container. Even though I never would, I could tag a completely different image with the same commit and then it would run different commands.
I see this as kinda pointless, but since it is considered best practice, I'm fine with it being implemented. You just need to change it to use the GitHub variable for the sha, which should be github.sha.
Fixes #134
I have not been able to test this myself, but according to the documentation, this should work.
This allows us to pin to a specific git hash, rather than being on a mutable reference.