Unable to use SHA ref in workflow

[riker09]

It is not possible to use this action in a workflow when using a specific version. Please also see my post in the GitHub Community Forum https://github.community/t/using-a-sha-for-remote-actions-not-working-as-expected/251451

In short:

    name: 'GitHub Action for Firebase'
    author: 'Jeremy Shore'
    description: 'Wraps the firebase-tools CLI to enable common commands.'
    branding:
      icon: 'package'
      color: 'gray-dark'
    runs:
      using: 'docker'
      image: 'docker://w9jds/firebase-action:latest'

The Docker image is always using :latest. I don't know if it is possible to use a tag or SHA here provided by the remote (aka. "my") workflow. But currently this action contradicts the security best practices from GitHub itself: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[w9jds]

Yes, that is what I just tried to address with a whole new build upgrade last weekend on this action. I missed this yaml config. I need to update it then it will work. Look at #128 you can actually point to specific versions of the image moving forward but until I pushed 2.1.0 the image always pulled latest. You can actually point it to the docker image too via your action but again won't work for anything before 2.1.0 sadly. This is a docker action, SHA only works if it builds the docker image each time it runs, if this value changes each time (which it will now) or if it's a JavaScript based action. Due to complaints on how long the docker image took to build each run it was converted to a pre-compiled image for faster action run times.