stenyan[.]dev

When asking an AI Agent to write a GitHub Actions Workflow, it often outputs workflows using old versions of actions, like uses: actions/checkout@v2.

Also, when reviewing other people's PRs which include workflow files, I often tell them to pin the actions used to a specific commit hash. Instead of repeatedly writing such comments, I decided to create a Skill for this.

https://github.com/stefafafan/skills/blob/6ed0b32107c39c19271365763c6f7bd0d295847e/skills/pin-github-actions/SKILL.md

How to get the latest tag

As mentioned in the SKILL.md file, the following command can be used to get the commit hash and tag name of the latest tag.

git ls-remote --tags --sort="v:refname" <REPO_URL> | tail -n 1

Using suzuki-shunsuke/pinact is also a great option

https://github.com/suzuki-shunsuke/pinact is very useful, and I thought about including it in the skills, but I decided against it because I wasn't sure if it was appropriate to have pinact being installed everytime the AI agent writes a GitHub Workflow.

If you regularly use pinact, you can run the command yourself without relying on the skills.

References

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
• https://github.com/suzuki-shunsuke/pinact
• https://www.reddit.com/r/git/comments/1ixpxi5/how_do_i_get_latest_release_programatically/