Hallucinated GitHub Actions SHA Pins

Problem

CI pipeline failed immediately on first run with:

An action could not be found at the URI
'https://api.github.com/repos/pnpm/action-setup/tarball/fe02b34f77f8bc703a5f83f2ec0b1d17f6cfbf1f'

Root Cause

When SHA-pinning GitHub Actions for supply chain security (recommended practice), the AI assistant generated plausible-looking but completely fabricated SHA hashes. The SHAs didn’t correspond to any real commits in the action repositories.

This affected all three pinned actions:

• actions/checkout@b4ffde65... — not a real SHA
• pnpm/action-setup@fe02b34f... — not a real SHA
• actions/setup-node@39370e39... — not a real SHA

Solution

Look up real SHA hashes from the action repositories using the GitHub API:

# Get tag SHAs for any action
gh api repos/actions/checkout/git/refs/tags --jq '.[-3:][] | .ref + " " + .object.sha'
gh api repos/pnpm/action-setup/git/refs/tags --jq '.[-3:][] | .ref + " " + .object.sha'
gh api repos/actions/setup-node/git/refs/tags --jq '.[-3:][] | .ref + " " + .object.sha'

Then use the real SHAs with version comments:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

Prevention

• Never trust AI-generated SHA hashes. Always verify via gh api or the GitHub UI.
• Add a comment with the version tag next to each SHA for human readability.
• Consider using a tool like StepSecurity’s pin-github-action to automate SHA lookups.
• Test CI on a feature branch before merging to main.