Written by Jamie Tanna
on 
CC-BY-NC-SA-4.0 Apache-2.0
2 mins

Determining the digest for a GitHub Action

Featured image for sharing metadata for article

When working with GitHub Actions, you may have encountered a Workflow that pins the digest of the Action being used:

      steps:
      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5

So how do you go about determining the digest?

We definitely don't want to manually update these over time, and so instead want to outsource this to tools like Renovate and Dependabot, which understand i.e. the v5 means "keep this up-to-date with the latest v5.x release".

For folks not aware, in the GitHub Actions ecosystem, you generally have a v5 tag (which is counted as mutable) as well as i.e. a v5.25.0 tag.

When pushing the v5.25.0 tag, you also re-push v5 to point to the same commit hash.

With this in mind, we can look up the v5 Git tag, and check out the commit hash that the tag points to.

For instance, using the gh CLI:

% gh api /repos/release-drafter/release-drafter/git/refs/tags/v5
{
  "ref": "refs/tags/v5",
  "node_id": "MDM6UmVmMTM5MDIyMzU5OnJlZnMvdGFncy92NQ==",
  "url": "https://api.github.com/repos/release-drafter/release-drafter/git/refs/tags/v5",
  "object": {
    "sha": "09c613e259eb8d4e7c81c2cb00618eb5fc4575a7",
    "type": "commit",
    "url": "https://api.github.com/repos/release-drafter/release-drafter/git/commits/09c613e259eb8d4e7c81c2cb00618eb5fc4575a7"
  }
}

(You can also go to the tag page itself)

This blog post provides a few other options to automate this, such as the pin-github-action npm package.

I've also found that sometimes it can be more straightforward - but lazy - to create it unpinned, and then make sure that Renovate pins it for me using helpers:pinGitHubActionDigests.

Pinning with a SemVer version

As a bonus treat, I'd (personally) recommend pinning your digests like so, with the full SemVer version:

-     - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5
+     - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0

Renovate will then pin + update these for you when using helpers:pinGitHubActionDigestsToSemver.

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #github #github-actions.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.