Your workflow references the action with a uses: ref — almost always the moving major tag pullfrog/pullfrog@v0. This page explains what that ref does (and doesn’t) pin, and how to pin to a commit SHA safely.
How the action is versioned
The published action is a thin bootstrap. At runtime it pulls the real agent from npm at ^<version> (the latest release in the current major line), so the agent itself is always current regardless of how you pin the uses: ref. The ref only fixes two things from the checked-out action:
action.yml — the input/output contract.- The
post: cleanup step — a best-effort hook that runs after every job (it persists rotated credentials and surfaces run state).
pullfrog/pullfrog@v0 tracks the latest v0.x release of both. This is what the console emits and what we recommend.
Pinning to a commit SHA
GitHub’s security hardening guide recommends pinning third-party actions to a full commit SHA, since tags are mutable. Tools like Dependabot, StepSecurity, and pin-github-action apply this automatically, leaving the version as a comment:
uses: pullfrog/pullfrog@abc123… # v0
A commit SHA is immutable, so it freezes the post: cleanup step at that commit forever. The agent still floats via npm, but a stale pin runs old cleanup code — and once an old enough revision ships an incompatible cleanup hook, every run flips to failure after the agent has already finished its work. The pin doesn’t lock the behavior you care about (that comes from npm); it only freezes the wrapper.
# v0 comment automatically — add the GitHub Actions ecosystem to your config:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
Which should I use?
| You want… | Use |
|---|
| The simplest setup that always stays current | pullfrog/pullfrog@v0 |
| SHA pinning for a security policy | a commit SHA plus Dependabot (above) to keep it fresh |
