It pins to wrong SHA
hawkeye116477 opened this issue · 2 comments
I added
steps:
- uses: actions/checkout@v2
and it pins to actions/checkout@f1d3225, which doesn't exist.
This looks like a bug with the GH API:
Looking at the actions/checkout v2 tag the commit hash is 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
When calling the API, I get the following response:
GET https://api.github.com/repos/actions/checkout/git/ref/tags%2Fv2
{
"ref": "refs/tags/v2",
"node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92Mg==",
"url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v2",
"object": {
"sha": "f1d3225b5376a0791fdee5a0e8eac5289355e43a",
"type": "tag",
"url": "https://api.github.com/repos/actions/checkout/git/tags/f1d3225b5376a0791fdee5a0e8eac5289355e43a"
}
}Let me raise an issue with GH and see what's going on
I've done some more digging. It looks like f1d3225b5376a0791fdee5a0e8eac5289355e43a is a valid SHA. It's the SHA of the tag, not the commit.
I cloned the repo and could check out that SHA, which points to tags/v2:
/tmp/checkout main
❯ git checkout f1d3225b5376a0791fdee5a0e8eac5289355e43a
Note: switching to 'f1d3225b5376a0791fdee5a0e8eac5289355e43a'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 5a4ac90 Add missing `await`s (#379)
/tmp/checkout tags/v2
❯
Using the API we can fetch the ref for tags/v2 (https://api.github.com/repos/actions/checkout/git/refs/tags/v2):
{
"ref": "refs/tags/v2",
"node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92Mg==",
"url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v2",
"object": {
"sha": "f1d3225b5376a0791fdee5a0e8eac5289355e43a",
"type": "tag",
"url": "https://api.github.com/repos/actions/checkout/git/tags/f1d3225b5376a0791fdee5a0e8eac5289355e43a"
}
}Following the URL for the tag (https://api.github.com/repos/actions/checkout/git/tags/f1d3225b5376a0791fdee5a0e8eac5289355e43a) shows the commit:
{
"node_id": "MDM6VGFnMTk3ODE0NjI5OmYxZDMyMjViNTM3NmEwNzkxZmRlZTVhMGU4ZWFjNTI4OTM1NWU0M2E=",
"sha": "f1d3225b5376a0791fdee5a0e8eac5289355e43a",
"url": "https://api.github.com/repos/actions/checkout/git/tags/f1d3225b5376a0791fdee5a0e8eac5289355e43a",
"tagger": {
"name": "TingluoHuang",
"email": "TingluoHuang@github.com",
"date": "2020-11-03T14:54:08Z"
},
"object": {
"sha": "5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f",
"type": "commit",
"url": "https://api.github.com/repos/actions/checkout/git/commits/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f"
},
"tag": "v2",
"message": "Update v2 tag\n",
"verification": {
"verified": false,
"reason": "unsigned",
"signature": null,
"payload": null
}
}Inside that is a commit object showing the correct SHA of 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f.
In summary:
f1d3225b5376a0791fdee5a0e8eac5289355e43ais the SHA for the tag5a4ac9002d0be2fb38bd78e4b4dbde5606d7042fis the SHA for the commit
pin-github-action is fetching the tag SHA rather than the commit SHA, but still works as intended