Refer to actions by commit hash

Some organizations have a policy of always referring to GitHub
actions by commit hash rather than tag, as tags can be moved
without review.

This explores what this would look like for `sbt-github-actions`.
Of course the main downside would be that updating the hashes
creates churn.

Author: raboof

.github/workflows/ci.yml

@@ -34,28 +34,28 @@ jobs:
 
       - name: Configure pagefile for Windows
         if: contains(runner.os, 'windows')
-        uses: al-cheb/[email protected]
+        uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
         with:
           minimum-size: 2GB
           maximum-size: 8GB
           disk-root: 'C:'
 
       - name: Checkout current branch (full)
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_graalvm@17)
         if: matrix.java == 'graal_graalvm@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@2a2412009026a83f51d179f92dc2b3fd4c8142df # v1.4.1
         with:
           java-version: 17
           distribution: graalvm
@@ -65,14 +65,14 @@ jobs:
 
       - name: Setup Java (corretto@17)
         if: matrix.java == 'corretto@17'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: corretto
           java-version: 17
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@3e125ece5c3e5248e18da9ed8d2cce3d335ec8dd # v1.1.14
 
       - name: Check that workflows are up to date
         shell: bash
@@ -90,7 +90,7 @@ jobs:
         run: tar cf targets.tar target project/target
 
       - name: Upload target directories
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: target-${{ matrix.os }}-${{ matrix.scala }}-${{ matrix.java }}
           path: targets.tar
@@ -112,28 +112,28 @@ jobs:
 
       - name: Configure pagefile for Windows
         if: contains(runner.os, 'windows')
-        uses: al-cheb/[email protected]
+        uses: al-cheb/configure-pagefile-action@a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708 # v1.4
         with:
           minimum-size: 2GB
           maximum-size: 8GB
           disk-root: 'C:'
 
       - name: Checkout current branch (full)
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_graalvm@17)
         if: matrix.java == 'graal_graalvm@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@2a2412009026a83f51d179f92dc2b3fd4c8142df # v1.4.1
         with:
           java-version: 17
           distribution: graalvm
@@ -143,17 +143,17 @@ jobs:
 
       - name: Setup Java (corretto@17)
         if: matrix.java == 'corretto@17'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: corretto
           java-version: 17
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@3e125ece5c3e5248e18da9ed8d2cce3d335ec8dd # v1.1.14
 
       - name: Download target directories (2.12.20)
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: target-${{ matrix.os }}-2.12.20-${{ matrix.java }}
 

src/main/scala/sbtghactions/GenerativePlugin.scala

@@ -301,8 +301,8 @@ ${indent(rendered.mkString("\n"), 1)}"""
         import use.{ref, params}
 
         val decl = ref match {
-          case UseRef.Public(owner, repo, ref) =>
-            s"uses: $owner/$repo@$ref"
+          case UseRef.Public(owner, repo, rev, ref) =>
+            s"uses: $owner/$repo@$rev # $ref"
 
           case UseRef.Local(path) =>
             val cleaned = if (path.startsWith("./"))
@@ -640,7 +640,8 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
           UseRef.Public(
             "actions",
             "upload-artifact",
-            "v4"),
+            "ea165f8d65b6e75b540449e92b4886f43607fa02",
+            "v4.6.2"),
           name = Some(s"Upload target directories"),
           params = Map(
             "name" -> s"target-$${{ matrix.os }}-$${{ matrix.scala }}-$${{ matrix.java }}",
@@ -661,7 +662,8 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
             UseRef.Public(
               "actions",
               "download-artifact",
-              "v5"),
+              "634f93cb2916e3fdff6788551b99b062d0335ce0",
+              "v5.0.0"),
             name = Some(s"Download target directories ($v)"),
             params = Map(
               "name" -> s"target-$${{ matrix.os }}-$v-$${{ matrix.java }}"))
@@ -686,7 +688,11 @@ ${indent(jobs.map(compileJob(_, sbt)).mkString("\n\n"), 1)}
         val optionalPagefileFix = githubWorkflowWindowsPagefileFix.value.map(pageFileFix =>
           WorkflowStep.Use(
             name = Some("Configure pagefile for Windows"),
-            ref = UseRef.Public("al-cheb", "configure-pagefile-action", "v1.4"),
+            ref = UseRef.Public(
+              "al-cheb",
+              "configure-pagefile-action",
+              "a3b6ebd6b634da88790d9c58d4b37a7f4a7b8708",
+              "v1.4"),
             params = Map(
               "minimum-size" -> s"${pageFileFix.minSize}",
               "maximum-size" -> s"${pageFileFix.maxSize}"

src/main/scala/sbtghactions/UseRef.scala

@@ -19,7 +19,7 @@ package sbtghactions
 sealed trait UseRef extends Product with Serializable
 
 object UseRef {
-  final case class Public(owner: String, repo: String, ref: String) extends UseRef
+  final case class Public(owner: String, repo: String, rev: String, ref: String) extends UseRef
   final case class Local(path: String) extends UseRef
   final case class Docker(image: String, tag: String, host: Option[String] = None) extends UseRef
 }

src/main/scala/sbtghactions/WorkflowStep.scala

@@ -33,17 +33,31 @@ object WorkflowStep {
   val DefaultSbtStepPreamble: List[String] = List(s"++ $${{ matrix.scala }}")
 
   val CheckoutFull: WorkflowStep = Use(
-    UseRef.Public("actions", "checkout", "v5"),
+    UseRef.Public(
+      "actions",
+      "checkout",
+      "08c6903cd8c0fde910a37f88322edcfb5dd907a8",
+      "v5.0.0"),
     name = Some("Checkout current branch (full)"),
     params = Map("fetch-depth" -> "0"))
 
-  val Checkout: WorkflowStep = Use(UseRef.Public("actions", "checkout", "v5"), name = Some("Checkout current branch (fast)"))
+  val Checkout: WorkflowStep = Use(
+    UseRef.Public(
+      "actions",
+      "checkout",
+      "08c6903cd8c0fde910a37f88322edcfb5dd907a8",
+      "v5.0.0"),
+    name = Some("Checkout current branch (fast)"))
 
   def SetupJava(versions: List[JavaSpec]): List[WorkflowStep] =
     versions map {
       case jv @ JavaSpec(JavaSpec.Distribution.GraalVM(Graalvm.Version(graalVersion)), version) =>
         WorkflowStep.Use(
-          UseRef.Public("graalvm", "setup-graalvm", "v1"),
+          UseRef.Public(
+            "graalvm",
+            "setup-graalvm",
+            "2a2412009026a83f51d179f92dc2b3fd4c8142df",
+            "v1.4.1"),
           name = Some(s"Setup GraalVM (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -54,7 +68,11 @@ object WorkflowStep {
             "cache" -> "sbt"))
       case jv @ JavaSpec(JavaSpec.Distribution.GraalVM(Graalvm.Distribution(distribution)), version) =>
         WorkflowStep.Use(
-          UseRef.Public("graalvm", "setup-graalvm", "v1"),
+          UseRef.Public(
+            "graalvm",
+            "setup-graalvm",
+            "2a2412009026a83f51d179f92dc2b3fd4c8142df",
+            "v1.4.1"),
           name = Some(s"Setup GraalVM (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -65,7 +83,11 @@ object WorkflowStep {
             "cache" -> "sbt"))
       case jv @ JavaSpec(dist, version) =>
         WorkflowStep.Use(
-          UseRef.Public("actions", "setup-java", "v5"),
+          UseRef.Public(
+            "actions",
+            "setup-java",
+            "dded0888837ed1f317902acf8a20df0ad188d165",
+            "v5.0.0"),
           name = Some(s"Setup Java (${jv.render})"),
           cond = Some(s"matrix.java == '${jv.render}'"),
           params = ListMap(
@@ -76,15 +98,24 @@ object WorkflowStep {
 
   def SetupSbt(runnerVersion: Option[String] = None): WorkflowStep =
     Use(
-      ref = UseRef.Public("sbt", "setup-sbt", "v1"),
+      ref = UseRef.Public(
+        "sbt",
+        "setup-sbt",
+        "3e125ece5c3e5248e18da9ed8d2cce3d335ec8dd",
+        "v1.1.14"),
       params = runnerVersion match {
         case Some(v) => Map("sbt-runner-version" -> v)
         case None    => Map()
       },
       name = Some("Setup sbt"),
     )
 
-  val Tmate: WorkflowStep = Use(UseRef.Public("mxschmitt", "action-tmate", "v2"), name = Some("Setup tmate session"))
+  val Tmate: WorkflowStep = Use(
+    UseRef.Public(
+      "mxschmitt",
+      "action-tmate",
+      "ece3d66d6d54a01594acd0ee2e79d1bfb2df136d",
+      "v2"), name = Some("Setup tmate session"))
 
   def ComputeVar(name: String, cmd: String): WorkflowStep =
     Run(

src/sbt-test/sbtghactions/check-and-regenerate/expected-ci.yml

@@ -37,21 +37,21 @@ jobs:
 
     steps:
       - name: Checkout current branch (full)
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_22.3.0@17)
         if: matrix.java == 'graal_22.3.0@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@2a2412009026a83f51d179f92dc2b3fd4c8142df # v1.4.1
         with:
           version: 22.3.0
           java-version: 17
@@ -60,7 +60,7 @@ jobs:
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@3e125ece5c3e5248e18da9ed8d2cce3d335ec8dd # v1.1.14
 
       - name: Check that workflows are up to date
         run: sbt '++ ${{ matrix.scala }}' githubWorkflowCheck
@@ -74,7 +74,7 @@ jobs:
         run: tar cf targets.tar target project/target
 
       - name: Upload target directories
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: target-${{ matrix.os }}-${{ matrix.scala }}-${{ matrix.java }}
           path: targets.tar
@@ -93,21 +93,21 @@ jobs:
 
     steps:
       - name: Checkout current branch (full)
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
       - name: Setup Java (zulu@8)
         if: matrix.java == 'zulu@8'
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
           distribution: zulu
           java-version: 8
           cache: sbt
 
       - name: Setup GraalVM (graal_22.3.0@17)
         if: matrix.java == 'graal_22.3.0@17'
-        uses: graalvm/setup-graalvm@v1
+        uses: graalvm/setup-graalvm@2a2412009026a83f51d179f92dc2b3fd4c8142df # v1.4.1
         with:
           version: 22.3.0
           java-version: 17
@@ -116,10 +116,10 @@ jobs:
           cache: sbt
 
       - name: Setup sbt
-        uses: sbt/setup-sbt@v1
+        uses: sbt/setup-sbt@3e125ece5c3e5248e18da9ed8d2cce3d335ec8dd # v1.1.14
 
       - name: Download target directories (2.13.10)
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: target-${{ matrix.os }}-2.13.10-${{ matrix.java }}
 
@@ -129,7 +129,7 @@ jobs:
           rm targets.tar
 
       - name: Download target directories (2.12.17)
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: target-${{ matrix.os }}-2.12.17-${{ matrix.java }}