Versions & pinning - Pullfrog
Skip to main content
Your workflow references the action with a uses: ref — almost always the moving major tag pullfrog/pullfrog@v0. This page explains what that ref does (and doesn’t) pin, and how to pin to a commit SHA safely.

How the action is versioned

The published action is a thin bootstrap. At runtime it pulls the real agent from npm at ^<version> (the latest release in the current major line), so the agent itself is always current regardless of how you pin the uses: ref. The ref only fixes two things from the checked-out action:
  • action.yml — the input/output contract.
  • The post: cleanup step — a best-effort hook that runs after every job (it persists rotated credentials and surfaces run state).
pullfrog/pullfrog@v0 tracks the latest v0.x release of both. This is what the console emits and what we recommend.

Pinning to a commit SHA

GitHub’s security hardening guide recommends pinning third-party actions to a full commit SHA, since tags are mutable. Tools like Dependabot, StepSecurity, and pin-github-action apply this automatically, leaving the version as a comment: 
uses: pullfrog/pullfrog@abc123… # v0
A commit SHA is immutable, so it freezes the post: cleanup step at that commit forever. The agent still floats via npm, but a stale pin runs old cleanup code — and once an old enough revision ships an incompatible cleanup hook, every run flips to failure after the agent has already finished its work. The pin doesn’t lock the behavior you care about (that comes from npm); it only freezes the wrapper.
If you pin a SHA, keep it fresh so the cleanup step stays current. Dependabot bumps both the SHA and the # v0 comment automatically — add the GitHub Actions ecosystem to your config: 
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Which should I use?

A bare commit SHA with no updater is the one combination to avoid — it’s how the cleanup step goes stale.