Skip to content

Instantly share code, notes, and snippets.

@naveensrinivasan

naveensrinivasan/Pinned-Actions.md

Created April 3, 2022 17:22
Show Gist options
  • Save naveensrinivasan/ca008c07279176acce28969fb77d056f to your computer and use it in GitHub Desktop.
Save naveensrinivasan/ca008c07279176acce28969fb77d056f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Pinned-Actions.md

How do I validate these SHA?

These SHA's are git commit SHA. Most of them can be validated by looking up the tag using the API.

Here is an example of actions/setup-node@v2 https://api.github.com/repos/actions/setup-node/git/refs/tags/v2

This should provide a result like this.

{
  "ref": "refs/tags/v2",
  "node_id": "MDM6UmVmMTg5NDc2OTA0OnJlZnMvdGFncy92Mg==",
  "url": "https://api.github.com/repos/actions/setup-node/git/refs/tags/v2",
  "object": {
    "sha": "1f8c6b94b26d0feae1e387ca63ccbdc44d27b561",
    "type": "commit",
    "url": "https://api.github.com/repos/actions/setup-node/git/commits/1f8c6b94b26d0feae1e387ca63ccbdc44d27b561"
  }
}

Notice this tag has a commit SHA associated with it. The object type is commit. With this information, we should be able to pull the pinned action by the SHA actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561

For others, this isn't straightforward. For example actions/checkout@v2

https://api.github.com/repos/actions/checkout/git/refs/tags/v2

{
  "ref": "refs/tags/v2",
  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92Mg==",
  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v2",
  "object": {
    "sha": "629c2de402a417ea7690ca6ce3f33229e27606a5",
    "type": "tag",
    "url": "https://api.github.com/repos/actions/checkout/git/tags/629c2de402a417ea7690ca6ce3f33229e27606a5"
  }
}

Notice the object type is tag and not a commit, and we can't use that SHA to pull. So we would have to query the API https://api.github.com/repos/actions/checkout/git/tags/629c2de402a417ea7690ca6ce3f33229e27606a5, which is mentioned in the object to get the commit SHA.

Querying the https://api.github.com/repos/actions/checkout/git/tags/629c2de402a417ea7690ca6ce3f33229e27606a5 URL should give us the commit SHA

{
  "node_id": "TA_kwDOC8ppZdoAKDYyOWMyZGU0MDJhNDE3ZWE3NjkwY2E2Y2UzZjMzMjI5ZTI3NjA2YTU",
  "sha": "629c2de402a417ea7690ca6ce3f33229e27606a5",
  "url": "https://api.github.com/repos/actions/checkout/git/tags/629c2de402a417ea7690ca6ce3f33229e27606a5",
  "tagger": {
    "name": "eric sciple",
    "email": "[email protected]",
    "date": "2021-11-02T17:49:38Z"
  },
  "object": {
    "sha": "ec3a7ce113134d7a93b817d10a8272cb61118579",
    "type": "commit",
    "url": "https://api.github.com/repos/actions/checkout/git/commits/ec3a7ce113134d7a93b817d10a8272cb61118579"
  },
  "tag": "v2",
  "message": "Update v2 tag\n",
  "verification": {
    "verified": false,
    "reason": "unsigned",
    "signature": null,
    "payload": null
  }
}

With the above mentioned SHA ec3a7ce113134d7a93b817d10a8272cb61118579 we should be able to pull actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment