Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Differentiate between commit SHA and tag SHA #2132

Open
jenstroeger opened this issue Aug 8, 2022 · 8 comments
Open

Differentiate between commit SHA and tag SHA #2132

jenstroeger opened this issue Aug 8, 2022 · 8 comments
Labels
check/Pinned-Dependencies kind/enhancement New feature or request Stale

Comments

@jenstroeger
Copy link

Is your feature request related to a problem? Please describe.

Related to my question/issue actions/checkout#874. As described there, we had pinned an Action like so:

    - name: Checkout repository
      uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28

where d065129 was an annotated tag named v3 and not an existing commit. Furthermore, folks rewrite that tag whenever a new version 3 is released so that that “pin” isn’t really a pin at all.

Describe the solution you'd like

Warn me if a SHA is not a commit SHA, i.e. if the pin can be redirected.

Describe alternatives you've considered

Manually cross-checking that the pinned Actions actually reference commit SHAs.

Additional context

Pretty please?
@jenstroeger jenstroeger added the kind/enhancement New feature or request label Aug 8, 2022
@laurentsimon
Copy link
Contributor

laurentsimon commented Aug 12, 2022
edited
Loading

This would be a nice improvement. Can you give an example repository? I'm not following the part that d065129 was an annotated tag named v3. The annotated tag is an object, so its commit hash would change if there was a force push to update it, no?

I've not fiddled much with annotated tags, so please bear with me :)

@jenstroeger
Copy link
Author

jenstroeger commented Aug 12, 2022
edited
Loading

Can you give an example repository?

If you take a look at the actions/checkout repository you’ll see that there is no commit d065129. However, there is a tag named v3 whose SHA d065129 “points at” (references, aliases, I’m unsure) a different commit whenever there’s an update.

I’m waiting for a response to that discussion in issue actions/checkout#874 (comment).

@github-actions
Copy link

Stale issue message - this issue will be closed in 7 days

@jenstroeger
Copy link
Author

Uhm. Ping?

@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Dec 15, 2023
@spencerschrock
Copy link
Member

spencerschrock commented Dec 28, 2023
edited
Loading

Yes, this would entirely defeat the purpose of a pinned GitHub Action. Hmm, this is similar to #2733, and a result of a GitHub implementation detail.

@laurentsimon I'm curious if we should have these API intensive tasks available as additional probes for people to run when needed, just not by default.

@laurentsimon
Copy link
Contributor

Yes, this would entirely defeat the purpose of a pinned GitHub Action. Hmm, this is similar to #2733, and a result of a GitHub implementation detail.

@laurentsimon I'm curious if we should have these API intensive tasks available as additional probes for people to run when needed, just not by default.

+1 on having a probe for it.

@spencerschrock spencerschrock mentioned this issue Jan 4, 2024
Closed
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Pinned-Dependencies kind/enhancement New feature or request Stale
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spencerschrock @jenstroeger @laurentsimon and others