Harden PinGitHubActionsToSha tests against SHA drift by timtebeek · Pull Request #196 · openrewrite/rewrite-github-actions

timtebeek · 2026-06-16T20:44:43Z

The PinGitHubActionsToShaTest cases pinned their expected output to bare major action tags (@v3, @v4, @v5), whose SHAs the weekly update-known-shas job re-resolves whenever an upstream maintainer re-points the major tag, forcing repeated manual test fixes (Update stale codeql-action SHA in PinGitHubActionsToShaTest #186, Update known action SHAs #188, Update known action SHAs #192). This switches every SHA-bearing test reference to a fully-qualified immutable patch tag (e.g. codecov/codecov-action@v4.6.0, github/codeql-action/init@v3.36.2), which the refresh script treats as immutable and never rewrites. The chosen patch tags currently resolve to the same commits as the old major tags, so only the input tags and # vX version comments change — the expected SHAs are identical. All tests pass.

Pin test references to immutable patch tags to stop SHA drift

ae1b8e8

moderne-meeseeks Bot added this to OpenRewrite Jun 16, 2026

moderne-meeseeks Bot assigned timtebeek Jun 16, 2026

github-project-automation Bot moved this to In Progress in OpenRewrite Jun 16, 2026

timtebeek merged commit c6f5a44 into main Jun 16, 2026
1 check passed

timtebeek deleted the tim/harden-sha-tests branch June 16, 2026 20:46

github-project-automation Bot moved this from In Progress to Done in OpenRewrite Jun 16, 2026

Provide feedback