Refer to actions by commit hash

raboof · raboof · commit cc6a1792fb44 · 2025-06-16T14:18:58.000+02:00
Some organizations have a policy of always referring to GitHub
actions by commit hash rather than tag, as tags can be moved
without review.

This explores what this would look like for `sbt-github-actions`.
Of course the main downside would be that updating the hashes
creates churn.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,28 +34,28 @@ jobs:
 
       - name: Configure pagefile for Windows
         if: contains(runner.os, 'windows')
-        uses: al-cheb/configure-pagefile-action@v1.4
+        uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
         with:
           minimum-size: 2GB
           maximum-size: 8GB
           disk-root: 'C:'
 
       - name: Checkout current branch (full)
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_graalvm@17)
         if: matrix.java == 'graal_graalvm@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1.3.3
         with:
           java-version: 17
           distribution: graalvm
@@ -65,14 +65,14 @@ jobs:
 
       - name: Setup Java (corretto@17)
         if: matrix.java == 'corretto@17'
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: corretto
           java-version: 17
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@6c68d2fe8dfbc0a0534d70101baa2e0420e1a506 # v1.1.9
 
       - name: Check that workflows are up to date
         shell: bash
@@ -90,7 +90,7 @@ jobs:
         run: tar cf targets.tar target project/target
 
       - name: Upload target directories
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: target-${{ matrix.os }}-${{ matrix.scala }}-${{ matrix.java }}
           path: targets.tar
@@ -112,28 +112,28 @@ jobs:
 
       - name: Configure pagefile for Windows
         if: contains(runner.os, 'windows')
-        uses: al-cheb/configure-pagefile-action@v1.4
+        uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
         with:
           minimum-size: 2GB
           maximum-size: 8GB
           disk-root: 'C:'
 
       - name: Checkout current branch (full)
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_graalvm@17)
         if: matrix.java == 'graal_graalvm@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1.3.3
         with:
           java-version: 17
           distribution: graalvm
@@ -143,17 +143,17 @@ jobs:
 
       - name: Setup Java (corretto@17)
         if: matrix.java == 'corretto@17'
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: corretto
           java-version: 17
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@6c68d2fe8dfbc0a0534d70101baa2e0420e1a506 # v1.1.9
 
       - name: Download target directories (2.12.20)
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: target-${{ matrix.os }}-2.12.20-${{ matrix.java }}
 
diff --git a/src/main/scala/sbtghactions/GenerativePlugin.scala b/src/main/scala/sbtghactions/GenerativePlugin.scala
@@ -301,8 +301,8 @@ ${indent(rendered.mkString("\n"), 1)}"""
         import use.{ref, params}
 
         val decl = ref match {
-          case UseRef.Public(owner, repo, ref) =>
-            s"uses: $owner/$repo@$ref"
+          case UseRef.Public(owner, repo, rev, ref) =>
+            s"uses: $owner/$repo@$rev # $ref"
 
           case UseRef.Local(path) =>
             val cleaned = if (path.startsWith("./"))
@@ -640,7 +640,8 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
           UseRef.Public(
             "actions",
             "upload-artifact",
-            "v4"),
+            "ea165f8d65b6e75b540449e92b4886f43607fa02",
+            "v4.6.2"),
           name = Some(s"Upload target directories"),
           params = Map(
             "name" -> s"target-$${{ matrix.os }}-$${{ matrix.scala }}-$${{ matrix.java }}",
@@ -661,7 +662,8 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
             UseRef.Public(
               "actions",
               "download-artifact",
-              "v4"),
+              "d3f86a106a0bac45b974a628896c90dbdf5c8093",
+              "v4.3.0"),
             name = Some(s"Download target directories ($v)"),
             params = Map(
               "name" -> s"target-$${{ matrix.os }}-$v-$${{ matrix.java }}"))
@@ -686,7 +688,11 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
         val optionalPagefileFix = githubWorkflowWindowsPagefileFix.value.map(pageFileFix =>
           WorkflowStep.Use(
             name = Some("Configure pagefile for Windows"),
-            ref = UseRef.Public("al-cheb", "configure-pagefile-action", "v1.4"),
+            ref = UseRef.Public(
+              "al-cheb",
+              "configure-pagefile-action",
+              "a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708",
+              "v1.4"),
             params = Map(
               "minimum-size" -> s"${pageFileFix.minSize}",
               "maximum-size" -> s"${pageFileFix.maxSize}"
diff --git a/src/main/scala/sbtghactions/UseRef.scala b/src/main/scala/sbtghactions/UseRef.scala
@@ -19,7 +19,7 @@ package sbtghactions
 sealed trait UseRef extends Product with Serializable
 
 object UseRef {
-  final case class Public(owner: String, repo: String, ref: String) extends UseRef
+  final case class Public(owner: String, repo: String, rev: String, ref: String) extends UseRef
   final case class Local(path: String) extends UseRef
   final case class Docker(image: String, tag: String, host: Option[String] = None) extends UseRef
 }
diff --git a/src/main/scala/sbtghactions/WorkflowStep.scala b/src/main/scala/sbtghactions/WorkflowStep.scala
@@ -33,17 +33,31 @@ object WorkflowStep {
   val DefaultSbtStepPreamble: List[String] = List(s"++ $${{ matrix.scala }}")
 
   val CheckoutFull: WorkflowStep = Use(
-    UseRef.Public("actions", "checkout", "v4"),
+    UseRef.Public(
+      "actions",
+      "checkout",
+      "11bd71901bbe5b1630ceea73d27597364c9af683",
+      "v4.2.2"),
     name = Some("Checkout current branch (full)"),
     params = Map("fetch-depth" -> "0"))
 
-  val Checkout: WorkflowStep = Use(UseRef.Public("actions", "checkout", "v4"), name = Some("Checkout current branch (fast)"))
+  val Checkout: WorkflowStep = Use(
+    UseRef.Public(
+      "actions",
+      "checkout",
+      "11bd71901bbe5b1630ceea73d27597364c9af683",
+      "v4.2.2"),
+    name = Some("Checkout current branch (fast)"))
 
   def SetupJava(versions: List[JavaSpec]): List[WorkflowStep] =
     versions map {
       case jv @ JavaSpec(JavaSpec.Distribution.GraalVM(Graalvm.Version(graalVersion)), version) =>
         WorkflowStep.Use(
-          UseRef.Public("graalvm", "setup-graalvm", "v1"),
+          UseRef.Public(
+            "graalvm",
+            "setup-graalvm",
+            "01ed653ac833fe80569f1ef9f25585ba2811baab",
+            "v1.3.3"),
           name = Some(s"Setup GraalVM (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -54,7 +68,11 @@ object WorkflowStep {
             "cache" -> "sbt"))
       case jv @ JavaSpec(JavaSpec.Distribution.GraalVM(Graalvm.Distribution(distribution)), version) =>
         WorkflowStep.Use(
-          UseRef.Public("graalvm", "setup-graalvm", "v1"),
+          UseRef.Public(
+            "graalvm",
+            "setup-graalvm",
+            "01ed653ac833fe80569f1ef9f25585ba2811baab",
+            "v1.3.3"),
           name = Some(s"Setup GraalVM (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -65,7 +83,11 @@ object WorkflowStep {
             "cache" -> "sbt"))
       case jv @ JavaSpec(dist, version) =>
         WorkflowStep.Use(
-          UseRef.Public("actions", "setup-java", "v4"),
+          UseRef.Public(
+            "actions",
+            "setup-java",
+            "c5195efecf7bdfc987ee8bae7a71cb8b11521c00",
+            "v4.7.1"),
           name = Some(s"Setup Java (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -76,15 +98,24 @@ object WorkflowStep {
 
   def SetupSbt(runnerVersion: Option[String] = None): WorkflowStep =
     Use(
-      ref = UseRef.Public("sbt", "setup-sbt", "v1"),
+      ref = UseRef.Public(
+        "sbt",
+        "setup-sbt",
+        "6c68d2fe8dfbc0a0534d70101baa2e0420e1a506",
+        "v1.1.9"),
       params = runnerVersion match {
         case Some(v) => Map("sbt-runner-version" -> v)
         case None    => Map()
       },
       name = Some("Setup sbt"),
     )
 
-  val Tmate: WorkflowStep = Use(UseRef.Public("mxschmitt", "action-tmate", "v2"), name = Some("Setup tmate session"))
+  val Tmate: WorkflowStep = Use(
+    UseRef.Public(
+      "mxschmitt",
+      "action-tmate",
+      "ece3d66d6d54a01594acd0ee2e79d1bfb2df136d",
+      "v2"), name = Some("Setup tmate session"))
 
   def ComputeVar(name: String, cmd: String): WorkflowStep =
     Run(
diff --git a/src/test/scala/sbtghactions/GenerativePluginSpec.scala b/src/test/scala/sbtghactions/GenerativePluginSpec.scala
@@ -363,18 +363,19 @@ class GenerativePluginSpec extends Specification {
           UseRef.Public(
             "repo",
             "slug",
+            "rev",
             "v0")),
         "",
         Nil,
-        declareShell = true) mustEqual "- uses: repo/slug@v0"
+        declareShell = true) mustEqual "- uses: repo/slug@rev # v0"
     }
 
     "preserve wonky version in Use" in {
-      compileStep(Use(UseRef.Public("hello", "world", "v4.0.0")), "", Nil, declareShell = true) mustEqual "- uses: hello/world@v4.0.0"
+      compileStep(Use(UseRef.Public("hello", "world", "rev", "v4.0.0")), "", Nil, declareShell = true) mustEqual "- uses: hello/world@rev # v4.0.0"
     }
 
     "drop Use version prefix on anything that doesn't start with a number" in {
-      compileStep(Use(UseRef.Public("hello", "world", "main")), "", Nil, declareShell = true) mustEqual "- uses: hello/world@main"
+      compileStep(Use(UseRef.Public("hello", "world", "rev", "main")), "", Nil, declareShell = true) mustEqual "- uses: hello/world@rev # main"
     }
 
     "compile sbt using the command provided" in {
@@ -402,8 +403,8 @@ class GenerativePluginSpec extends Specification {
     "compile use without parameters" in {
       "public" >> {
         compileStep(
-          Use(UseRef.Public("olafurpg", "setup-scala", "v13")),
-          "") mustEqual "- uses: olafurpg/setup-scala@v13"
+          Use(UseRef.Public("olafurpg", "setup-scala", "rev", "v13")),
+          "") mustEqual "- uses: olafurpg/setup-scala@rev # v13"
       }
 
       "directory" >> {
@@ -435,8 +436,8 @@ class GenerativePluginSpec extends Specification {
 
     "compile use with two parameters" in {
       compileStep(
-        Use(UseRef.Public("olafurpg", "setup-scala", "v13"), params = Map("abc" -> "def", "cafe" -> "@42")),
-        "") mustEqual "- uses: olafurpg/setup-scala@v13\n  with:\n    abc: def\n    cafe: '@42'"
+        Use(UseRef.Public("olafurpg", "setup-scala", "rev", "v13"), params = Map("abc" -> "def", "cafe" -> "@42")),
+        "") mustEqual "- uses: olafurpg/setup-scala@rev # v13\n  with:\n    abc: def\n    cafe: '@42'"
     }
 
     "compile use with two parameters and environment variables" in {
@@ -445,10 +446,11 @@ class GenerativePluginSpec extends Specification {
           UseRef.Public(
             "derp",
             "nope",
+            "rev",
             "v0"),
           params = Map("teh" -> "schizzle", "think" -> "positive"),
           env = Map("hi" -> "there")),
-        "") mustEqual "- env:\n    hi: there\n  uses: derp/nope@v0\n  with:\n    teh: schizzle\n    think: positive"
+        "") mustEqual "- env:\n    hi: there\n  uses: derp/nope@rev # v0\n  with:\n    teh: schizzle\n    think: positive"
     }
 
     "compile a run step with multiple commands" in {
@@ -516,7 +518,7 @@ class GenerativePluginSpec extends Specification {
     - run: echo hello
 
     - name: Checkout current branch (fast)
-      uses: actions/checkout@v4"""
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2"""
     }
 
     "compile a job with one step and three oses" in {
@@ -565,15 +567,15 @@ class GenerativePluginSpec extends Specification {
   steps:
     - name: Setup Java (temurin@17)
       if: matrix.java == 'temurin@17'
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
         distribution: temurin
         java-version: 17
         cache: sbt
 
     - name: Setup GraalVM (graal_22.3.0@11)
       if: matrix.java == 'graal_22.3.0@11'
-      uses: graalvm/setup-graalvm@v1
+      uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1.3.3
       with:
         version: 22.3.0
         java-version: 11
@@ -605,7 +607,7 @@ class GenerativePluginSpec extends Specification {
   steps:
     - name: Setup GraalVM (graal_graalvm@17)
       if: matrix.java == 'graal_graalvm@17'
-      uses: graalvm/setup-graalvm@v1
+      uses: graalvm/setup-graalvm@01ed653ac833fe80569f1ef9f25585ba2811baab # v1.3.3
       with:
         java-version: 17
         distribution: graalvm
@@ -777,7 +779,7 @@ class GenerativePluginSpec extends Specification {
     - run: echo $${{ matrix.test }}
 
     - name: Checkout current branch (fast)
-      uses: actions/checkout@v4"""
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2"""
     }
 
     "compile a job with extra runs-on labels" in {
@@ -1000,7 +1002,7 @@ class GenerativePluginSpec extends Specification {
     - run: echo hello
 
     - name: Checkout current branch (fast)
-      uses: actions/checkout@v4"""
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2"""
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ package sbtghactions`
`19`	`19`	`sealed trait UseRef extends Product with Serializable`
`20`	`20`
`21`	`21`	`object UseRef {`
`22`		`- final case class Public(owner: String, repo: String, ref: String) extends UseRef`
	`22`	`+ final case class Public(owner: String, repo: String, rev: String, ref: String) extends UseRef`
`23`	`23`	`final case class Local(path: String) extends UseRef`
`24`	`24`	`final case class Docker(image: String, tag: String, host: Option[String] = None) extends UseRef`
`25`	`25`	`}`