Naked GitHub Actions SHA digest updates resolve to default branch HEAD instead of pinned branch #42245

shaanmajid · 2026-03-30T14:28:39Z

shaanmajid
Mar 30, 2026

How are you running Renovate?

Self-hosted Renovate CLI

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

43.100.1

Please tell us more about your question or problem

When a GitHub Actions uses: line pins to a bare SHA without a version comment:

steps:
  - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9

Renovate proposes updating the digest to the latest commit on the default branch (main) of the action's repository, regardless of which branch the original SHA belongs to.

This is especially harmful when the SHA is from a non-default branch; the pin gets silently migrated to an unrelated main commit.

This arguably may be expected behavior, but at the very least, it does not seem to be mentioned in the documentation relevant documentation.

MRE

renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": ["config:recommended"]
}

.github/workflows/ci.yml:

name: CI
on: push

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # Case 1: SHA from releases/v2 (NOT an ancestor of main).
      # Renovate should not touch this, but it will propose updating
      # the digest to HEAD of main (a completely unrelated commit).
      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5

      # Case 2: Stale SHA from main (not HEAD).
      # Renovate will propose updating to current HEAD of main.
      - uses: actions/checkout@033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1

Logs (if relevant)

Logs

 INFO: Renovate started
       "renovateVersion": "43.100.1"
DEBUG: Using RE2 regex engine
DEBUG: Parsing configs
DEBUG: No config file found on disk - skipping
DEBUG: No additional config file found specified - skipping
DEBUG: Converting GITHUB_COM_TOKEN into a global host rule
DEBUG: File config
       "config": {}
DEBUG: Additional file config
       "config": {}
DEBUG: CLI config
       "config": {"dryRun": "full", "platform": "local"}
DEBUG: Env config
       "config": {
         "hostRules": [
           {"hostType": "github", "matchHost": "github.com", "token": "***********"}
         ]
       }
DEBUG: Resolved global extends
       "config": undefined
DEBUG: Combined config
       "config": {
         "hostRules": [
           {"hostType": "github", "matchHost": "github.com", "token": "***********"}
         ],
         "dryRun": "full",
         "platform": "local"
       }
DEBUG: Enabling forkProcessing while in non-autodiscover mode
DEBUG: Enabling onboardingNoDeps while in non-autodiscover mode
DEBUG: Found valid git version: 2.53.0
DEBUG: Setting global hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
DEBUG: Using baseDir: /var/folders/7p/7p8txc0n2xb6_dj13c46ld900000gn/T/renovate
DEBUG: Using cacheDir: /var/folders/7p/7p8txc0n2xb6_dj13c46ld900000gn/T/renovate/cache
DEBUG: Using containerbaseDir: /var/folders/7p/7p8txc0n2xb6_dj13c46ld900000gn/T/renovate/cache/containerbase
DEBUG: Initializing Renovate internal cache into /var/folders/7p/7p8txc0n2xb6_dj13c46ld900000gn/T/renovate/cache/renovate/renovate-cache-v1
DEBUG: Commits limit = null
DEBUG: Setting global hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
DEBUG: validatePresets()
ERROR: Unsupported node environment detected. Please update your node version.
       "versions": {
         "node": "25.8.1",
         "acorn": "8.16.0",
         "ada": "3.4.3",
         "amaro": "1.1.8",
         "ares": "1.34.6",
         "brotli": "1.2.0",
         "cldr": "48.0",
         "icu": "78.3",
         "lief": "0.17.0",
         "llhttp": "9.3.1",
         "merve": "1.2.0",
         "modules": "141",
         "napi": "10",
         "nbytes": "0.1.3",
         "ncrypto": "0.0.1",
         "nghttp2": "1.68.1",
         "nghttp3": "",
         "ngtcp2": "",
         "openssl": "3.6.1",
         "simdjson": "4.4.2",
         "simdutf": "7.3.3",
         "sqlite": "3.51.3",
         "tz": "2026a",
         "undici": "7.22.0",
         "unicode": "17.0",
         "uv": "1.52.1",
         "uvwasi": "0.0.23",
         "v8": "14.1.146.11-node.21",
         "zlib": "1.2.12",
         "zstd": "1.5.7"
       },
       "range": "^24.11.0"
DEBUG: Reinitializing hostRules for repo
DEBUG: Clearing hostRules
DEBUG: Adding token authentication for github.com (hostType=github) to hostRules
 INFO: Repository started (repository=local)
       "renovateVersion": "43.100.1"
DEBUG: Using localDir: /private/tmp/gha-naked-sha-mre (repository=local)
DEBUG: PackageFiles.clear() - Package files deleted (repository=local)
DEBUG: Resetting npmrc (repository=local)
DEBUG: Resetting npmrc (repository=local)
DEBUG: checkOnboarding() (repository=local)
DEBUG: isOnboarded() (repository=local)
DEBUG: findFile(renovate.json) (repository=local)
DEBUG: Got file list using git (repository=local)
DEBUG: Config file exists, fileName: renovate.json (repository=local)
DEBUG: Repo is onboarded (repository=local)
DEBUG: Got file list using git (repository=local)
DEBUG: Found renovate.json config file (repository=local)
DEBUG: Repository config (repository=local)
       "fileName": "renovate.json",
       "config": {
         "$schema": "https://docs.renovatebot.com/renovate-schema.json",
         "extends": ["config:recommended"]
       }
DEBUG: migrateAndValidate() (repository=local)
DEBUG: No config migration necessary (repository=local)
DEBUG: Found repo ignorePaths (repository=local)
       "ignorePaths": [
         "**/node_modules/**",
         "**/bower_components/**",
         "**/vendor/**",
         "**/examples/**",
         "**/__tests__/**",
         "**/test/**",
         "**/tests/**",
         "**/__fixtures__/**"
       ]
DEBUG: No vulnerability alerts found (repository=local)
DEBUG: No baseBranches (repository=local)
DEBUG: extract() (repository=local)
DEBUG: Got file list using git (repository=local)
DEBUG: Using file pattern: /(^|/)tasks/[^/]+\.ya?ml$/ for manager ansible (repository=local)
DEBUG: Using file pattern: /(^|/)(galaxy|requirements)(\.ansible)?\.ya?ml$/ for manager ansible-galaxy (repository=local)
DEBUG: Using file pattern: /(^|/)\.tool-versions$/ for manager asdf (repository=local)
DEBUG: Using file pattern: /(^|/).azuredevops/.+\.ya?ml$/ for manager azure-pipelines (repository=local)
DEBUG: Using file pattern: /azure.*pipelines?.*\.ya?ml$/ for manager azure-pipelines (repository=local)
DEBUG: Using file pattern: /(^|/)batect(-bundle)?\.ya?ml$/ for manager batect (repository=local)
DEBUG: Using file pattern: /(^|/)batect$/ for manager batect-wrapper (repository=local)
DEBUG: Using file pattern: /(^|/)WORKSPACE(|\.bazel|\.bzlmod)$/ for manager bazel (repository=local)
DEBUG: Using file pattern: /\.WORKSPACE\.bazel$/ for manager bazel (repository=local)
DEBUG: Using file pattern: /\.bzl$/ for manager bazel (repository=local)
DEBUG: Using file pattern: /(^|/|\.)MODULE\.bazel$/ for manager bazel-module (repository=local)
DEBUG: Using file pattern: /(^|/)\.bazelversion$/ for manager bazelisk (repository=local)
DEBUG: Using file pattern: /\.bicep$/ for manager bicep (repository=local)
DEBUG: Using file pattern: /(^|/)\.?bitbucket-pipelines\.ya?ml$/ for manager bitbucket-pipelines (repository=local)
DEBUG: Using file pattern: /(^|/)bitrise\.ya?ml$/ for manager bitrise (repository=local)
DEBUG: Using file pattern: /buildkite\.ya?ml/ for manager buildkite (repository=local)
DEBUG: Using file pattern: /\.buildkite/.+\.ya?ml$/ for manager buildkite (repository=local)
DEBUG: Using file pattern: /(^|/)project\.toml$/ for manager buildpacks (repository=local)
DEBUG: Using file pattern: /(^|/)bun\.lockb?$/ for manager bun (repository=local)
DEBUG: Using file pattern: /(^|/)package\.json$/ for manager bun (repository=local)
DEBUG: Using file pattern: /(^|/)\.bun-version$/ for manager bun-version (repository=local)
DEBUG: Using file pattern: /(^|/)Gemfile$/ for manager bundler (repository=local)
DEBUG: Using file pattern: /\.cake$/ for manager cake (repository=local)
DEBUG: Using file pattern: /(^|/)Cargo\.toml$/ for manager cargo (repository=local)
DEBUG: Using file pattern: /(^|/)\.circleci/.+\.ya?ml$/ for manager circleci (repository=local)
DEBUG: Using file pattern: /(^|/)cloudbuild\.ya?ml/ for manager cloudbuild (repository=local)
DEBUG: Using file pattern: /(^|/)Podfile$/ for manager cocoapods (repository=local)
DEBUG: Using file pattern: /(^|/)([\w-]*)composer\.json$/ for manager composer (repository=local)
DEBUG: Using file pattern: /(^|/)conanfile\.(txt|py)$/ for manager conan (repository=local)
DEBUG: Using file pattern: /(^|/)\.copier-answers(\..+)?\.ya?ml/ for manager copier (repository=local)
DEBUG: Using file pattern: /(^|/)cpanfile$/ for manager cpanfile (repository=local)
DEBUG: Using file pattern: /^\.crow(?:/[^/]+)?\.ya?ml$/ for manager crow (repository=local)
DEBUG: Using file pattern: /(^|/)(?:deps|bb)\.edn$/ for manager deps-edn (repository=local)
DEBUG: Using file pattern: /(^|/)devbox\.json$/ for manager devbox (repository=local)
DEBUG: Using file pattern: /^.devcontainer/devcontainer.json$/ for manager devcontainer (repository=local)
DEBUG: Using file pattern: /^.devcontainer.json$/ for manager devcontainer (repository=local)
DEBUG: Using file pattern: /(^|/)(?:docker-)?compose[^/]*\.ya?ml$/ for manager docker-compose (repository=local)
DEBUG: Using file pattern: /(^|/|\.)([Dd]ocker|[Cc]ontainer)file$/ for manager dockerfile (repository=local)
DEBUG: Using file pattern: /(^|/)([Dd]ocker|[Cc]ontainer)file[^/]*$/ for manager dockerfile (repository=local)
DEBUG: Using file pattern: /(^|/)\.drone\.yml$/ for manager droneci (repository=local)
DEBUG: Using file pattern: /(^|/)fleet\.ya?ml/ for manager fleet (repository=local)
DEBUG: Using file pattern: /(?:^|/)gotk-components\.ya?ml$/ for manager flux (repository=local)
DEBUG: Using file pattern: /(^|/)\.fvm/fvm_config\.json$/ for manager fvm (repository=local)
DEBUG: Using file pattern: /(^|/)\.fvmrc$/ for manager fvm (repository=local)
DEBUG: Using file pattern: /(^|/)\.gitmodules$/ for manager git-submodules (repository=local)
DEBUG: Using file pattern: /(^|/)(workflow-templates|\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\.ya?ml$/ for manager github-actions (repository=local)
DEBUG: Using file pattern: /(^|/)action\.ya?ml$/ for manager github-actions (repository=local)
DEBUG: Using file pattern: /\.gitlab-ci\.ya?ml$/ for manager gitlabci (repository=local)
DEBUG: Using file pattern: /\.gitlab-ci\.ya?ml$/ for manager gitlabci-include (repository=local)
DEBUG: Using file pattern: /(^|/)gleam.toml$/ for manager gleam (repository=local)
DEBUG: Using file pattern: /(^|/)go\.mod$/ for manager gomod (repository=local)
DEBUG: Using file pattern: /\.gradle(\.kts)?$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)gradle\.properties$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)gradle/.+\.toml$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)buildSrc/.+\.kt$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /\.versions\.toml$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)versions.props$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)versions.lock$/ for manager gradle (repository=local)
DEBUG: Using file pattern: /(^|/)gradle/wrapper/gradle-wrapper\.properties$/ for manager gradle-wrapper (repository=local)
DEBUG: Using file pattern: /\.cabal$/ for manager haskell-cabal (repository=local)
DEBUG: Using file pattern: /(^|/)requirements\.ya?ml$/ for manager helm-requirements (repository=local)
DEBUG: Using file pattern: /(^|/)values\.ya?ml$/ for manager helm-values (repository=local)
DEBUG: Using file pattern: /(^|/)helmfile\.ya?ml(?:\.gotmpl)?$/ for manager helmfile (repository=local)
DEBUG: Using file pattern: /(^|/)helmfile\.d/.+\.ya?ml(?:\.gotmpl)?$/ for manager helmfile (repository=local)
DEBUG: Using file pattern: /(^|/)Chart\.ya?ml$/ for manager helmv3 (repository=local)
DEBUG: Using file pattern: /(^|/)bin/hermit$/ for manager hermit (repository=local)
DEBUG: Using file pattern: /(^|/)manifest\.json$/ for manager homeassistant-manifest (repository=local)
DEBUG: Using file pattern: /^Formula/[^/]+[.]rb$/ for manager homebrew (repository=local)
DEBUG: Using file pattern: /\.html?$/ for manager html (repository=local)
DEBUG: Using file pattern: /(^|/)plugins\.(txt|ya?ml)$/ for manager jenkins (repository=local)
DEBUG: Using file pattern: /(^|/)jsonnetfile\.json$/ for manager jsonnet-bundler (repository=local)
DEBUG: Using file pattern: /^.+\.main\.kts$/ for manager kotlin-script (repository=local)
DEBUG: Using file pattern: /(^|/)kustomization\.ya?ml$/ for manager kustomize (repository=local)
DEBUG: Using file pattern: /(^|/)project\.clj$/ for manager leiningen (repository=local)
DEBUG: Using file pattern: /(^|/|\.)pom\.xml$/ for manager maven (repository=local)
DEBUG: Using file pattern: /^(((\.mvn)|(\.m2))/)?settings\.xml$/ for manager maven (repository=local)
DEBUG: Using file pattern: /(^|/)\.mvn/extensions\.xml$/ for manager maven (repository=local)
DEBUG: Using file pattern: /(^|\/).mvn/wrapper/maven-wrapper.properties$/ for manager maven-wrapper (repository=local)
DEBUG: Using file pattern: /(^|\/)mvnw(.cmd)?$/ for manager maven-wrapper (repository=local)
DEBUG: Using file pattern: /(^|/)package\.js$/ for manager meteor (repository=local)
DEBUG: Using file pattern: /(^|/)Mintfile$/ for manager mint (repository=local)
DEBUG: Using file pattern: **/{,.}mise{,.*}.toml for manager mise (repository=local)
DEBUG: Using file pattern: **/{,.}mise/config{,.*}.toml for manager mise (repository=local)
DEBUG: Using file pattern: **/.config/mise{,.*}.toml for manager mise (repository=local)
DEBUG: Using file pattern: **/.config/mise/{mise,config}{,.*}.toml for manager mise (repository=local)
DEBUG: Using file pattern: **/.config/mise/conf.d/*.toml for manager mise (repository=local)
DEBUG: Using file pattern: **/.rtx{,.*}.toml for manager mise (repository=local)
DEBUG: Using file pattern: /(^|/)mix\.exs$/ for manager mix (repository=local)
DEBUG: Using file pattern: /(^|/)flake\.nix$/ for manager nix (repository=local)
DEBUG: Using file pattern: /(^|/)\.node-version$/ for manager nodenv (repository=local)
DEBUG: Using file pattern: /(^|/)package\.json$/ for manager npm (repository=local)
DEBUG: Using file pattern: /(^|/)pnpm-workspace\.yaml$/ for manager npm (repository=local)
DEBUG: Using file pattern: /(^|/)\.yarnrc\.yml$/ for manager npm (repository=local)
DEBUG: Using file pattern: /\.(?:cs|fs|vb)proj$/ for manager nuget (repository=local)
DEBUG: Using file pattern: /\.(?:props|targets)$/ for manager nuget (repository=local)
DEBUG: Using file pattern: /(^|/)dotnet-tools\.json$/ for manager nuget (repository=local)
DEBUG: Using file pattern: /(^|/)global\.json$/ for manager nuget (repository=local)
DEBUG: Using file pattern: /(^|/)\.nvmrc$/ for manager nvm (repository=local)
DEBUG: Using file pattern: /(^|/)src/main/features/.+\.json$/ for manager osgi (repository=local)
DEBUG: Using file pattern: /(^|/)pyproject\.toml$/ for manager pep621 (repository=local)
DEBUG: Using file pattern: /(^|/)[\w-]*requirements([-._]\w+)?\.(txt|pip)$/ for manager pip_requirements (repository=local)
DEBUG: Using file pattern: /(^|/)setup\.py$/ for manager pip_setup (repository=local)
DEBUG: Using file pattern: /(^|/)Pipfile$/ for manager pipenv (repository=local)
DEBUG: Using file pattern: /(^|/)pyproject\.toml$/ for manager pixi (repository=local)
DEBUG: Using file pattern: /(^|/)pixi\.toml$/ for manager pixi (repository=local)
DEBUG: Using file pattern: /(^|/)pyproject\.toml$/ for manager poetry (repository=local)
DEBUG: Using file pattern: /(^|/)\.pre-commit-config\.ya?ml$/ for manager pre-commit (repository=local)
DEBUG: Using file pattern: /(^|/)pubspec\.ya?ml$/ for manager pub (repository=local)
DEBUG: Using file pattern: /(^|/)Puppetfile$/ for manager puppet (repository=local)
DEBUG: Using file pattern: /(^|/)\.python-version$/ for manager pyenv (repository=local)
DEBUG: Using file pattern: /.+\.container$/ for manager quadlet (repository=local)
DEBUG: Using file pattern: /.+\.image$/ for manager quadlet (repository=local)
DEBUG: Using file pattern: /.+\.volume$/ for manager quadlet (repository=local)
DEBUG: Using file pattern: renovate.json for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: renovate.json5 for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .github/renovate.json for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .github/renovate.json5 for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .gitlab/renovate.json for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .gitlab/renovate.json5 for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .renovaterc for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .renovaterc.json for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: .renovaterc.json5 for manager renovate-config-presets (repository=local)
DEBUG: Using file pattern: /(^|/)\.ruby-version$/ for manager ruby-version (repository=local)
DEBUG: Using file pattern: /(^|/)runtime.txt$/ for manager runtime-version (repository=local)
DEBUG: Using file pattern: /\.sbt$/ for manager sbt (repository=local)
DEBUG: Using file pattern: /project/[^/]*\.scala$/ for manager sbt (repository=local)
DEBUG: Using file pattern: /project/build\.properties$/ for manager sbt (repository=local)
DEBUG: Using file pattern: /(^|/)repositories$/ for manager sbt (repository=local)
DEBUG: Using file pattern: /(^|/)\.scalafmt.conf$/ for manager scalafmt (repository=local)
DEBUG: Using file pattern: /(^|/)setup\.cfg$/ for manager setup-cfg (repository=local)
DEBUG: Using file pattern: /(^|/)Package\.swift/ for manager swift (repository=local)
DEBUG: Using file pattern: **/*.tf for manager terraform (repository=local)
DEBUG: Using file pattern: **/*.tofu for manager terraform (repository=local)
DEBUG: Using file pattern: /(^|/)\.terraform-version$/ for manager terraform-version (repository=local)
DEBUG: Using file pattern: /(^|/)terragrunt\.hcl$/ for manager terragrunt (repository=local)
DEBUG: Using file pattern: /(^|/)\.terragrunt-version$/ for manager terragrunt-version (repository=local)
DEBUG: Using file pattern: /\.tflint\.hcl$/ for manager tflint-plugin (repository=local)
DEBUG: Using file pattern: /^\.travis\.ya?ml$/ for manager travis (repository=local)
DEBUG: Using file pattern: /\.typ$/ for manager typst (repository=local)
DEBUG: Using file pattern: **/ProjectSettings/ProjectVersion.txt for manager unity3d (repository=local)
DEBUG: Using file pattern: /(^|/)\.vela\.ya?ml$/ for manager velaci (repository=local)
DEBUG: Using file pattern: /(^|/)vendir\.yml$/ for manager vendir (repository=local)
DEBUG: Using file pattern: /^\.woodpecker(?:/[^/]+)?\.ya?ml$/ for manager woodpecker (repository=local)
DEBUG: Using file pattern: **/{j,t}sconfig.json for manager regex (repository=local)
DEBUG: Using file pattern: **/{j,t}sconfig.*.json for manager regex (repository=local)
DEBUG: Using file pattern: **/{j,t}sconfig.json for manager regex (repository=local)
DEBUG: Using file pattern: **/{j,t}sconfig.*.json for manager regex (repository=local)
DEBUG: Matched 1 file(s) for manager github-actions: .github/workflows/ci.yml (repository=local)
DEBUG: Matched 1 file(s) for manager renovate-config-presets: renovate.json (repository=local)
DEBUG: manager extract durations (ms) (repository=local)
       "managers": {"github-actions": 5, "renovate-config-presets": 6}
DEBUG: Found github-actions package files (repository=local)
DEBUG: Found 1 package file(s) (repository=local)
 INFO: Dependency extraction complete (repository=local)
       "stats": {
         "managers": {"github-actions": {"fileCount": 1, "depCount": 3}},
         "total": {"fileCount": 1, "depCount": 3}
       }
DEBUG: hostRules: authentication already set for api.github.com (repository=local)
DEBUG: Using queue: host=api.github.com, concurrency=16 (repository=local)
DEBUG: http cache: saving https://api.github.com/repos/actions/checkout/commits?per_page=1 (etag=W/"c9a1027326cc7984273456d41661c7eeabc31c7d4812f652d55fe4750d75147b", lastModified=Fri, 09 Jan 2026 20:09:42 GMT) (repository=local)
DEBUG: http cache: saving https://api.github.com/repos/actions/checkout/commits?per_page=1 (etag=W/"c9a1027326cc7984273456d41661c7eeabc31c7d4812f652d55fe4750d75147b", lastModified=Fri, 09 Jan 2026 20:09:42 GMT) (repository=local)
DEBUG: PackageFiles.add() - Package file saved for base branch (repository=local)
DEBUG: Package releases lookups complete (repository=local)
DEBUG: LibYears: no currentVersionTimestamp for actions/checkout (repository=local)
DEBUG: Repository libYears (repository=local)
       "libYears": {"managers": {"github-actions": 0}, "total": 0},
       "dependencyStatus": {"outdated": 1, "total": 2}
DEBUG: branchifyUpgrades (repository=local)
DEBUG: detectSemanticCommits() (repository=local)
DEBUG: getCommitMessages (repository=local)
DEBUG: semanticCommits: detected "unknown" (repository=local)
DEBUG: semanticCommits: disabled (repository=local)
DEBUG: 2 flattened updates found: actions/checkout, actions/checkout (repository=local)
DEBUG: Returning 1 branch(es) (repository=local)
DEBUG: Branch is not pending, removing pending upgrades (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: config.repoIsOnboarded=true (repository=local)
DEBUG: packageFiles with updates (repository=local)
       "config": {
         "github-actions": [
           {
             "deps": [
               {
                 "depName": "actions/checkout",
                 "commitMessageTopic": "{{{depName}}} action",
                 "versioning": "docker",
                 "depType": "action",
                 "replaceString": "actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5",
                 "autoReplaceStringTemplate": "{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}",
                 "currentDigest": "ee0669bd1cc54295c223e0bb666b733df41de1c5",
                 "datasource": "github-tags",
                 "updates": [
                   {
                     "updateType": "digest",
                     "newDigest": "0c366fd6a839edf440554fa01a7085ccba70ac98",
                     "branchName": "renovate/actions-checkout-digest"
                   }
                 ],
                 "packageName": "actions/checkout",
                 "warnings": []
               },
               {
                 "depName": "actions/checkout",
                 "commitMessageTopic": "{{{depName}}} action",
                 "versioning": "docker",
                 "depType": "action",
                 "replaceString": "actions/checkout@033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1",
                 "autoReplaceStringTemplate": "{{depName}}@{{#if newDigest}}{{newDigest}}{{#if newValue}} # {{newValue}}{{/if}}{{/if}}{{#unless newDigest}}{{newValue}}{{/unless}}",
                 "currentDigest": "033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1",
                 "datasource": "github-tags",
                 "updates": [
                   {
                     "updateType": "digest",
                     "newDigest": "0c366fd6a839edf440554fa01a7085ccba70ac98",
                     "branchName": "renovate/actions-checkout-digest"
                   }
                 ],
                 "packageName": "actions/checkout",
                 "warnings": []
               },
               {
                 "depName": "ubuntu",
                 "currentValue": "latest",
                 "replaceString": "ubuntu-latest",
                 "depType": "github-runner",
                 "datasource": "github-runners",
                 "autoReplaceStringTemplate": "{{depName}}-{{newValue}}",
                 "skipReason": "invalid-version",
                 "updates": [],
                 "packageName": "ubuntu"
               }
             ],
             "packageFile": ".github/workflows/ci.yml"
           }
         ]
       }
DEBUG: detectSemanticCommits() (repository=local)
DEBUG: semanticCommits: returning "disabled" from cache (repository=local)
DEBUG: processRepo() (repository=local)
DEBUG: Processing 1 branch: renovate/actions-checkout-digest (repository=local)
DEBUG: 0 PRs are currently open (repository=local)
DEBUG: ConcurrentPRs count = 0 (repository=local)
DEBUG: 1 already existing branches found. (repository=local)
DEBUG: Branches count = 1 (repository=local)
DEBUG: Calculating PRs created so far in this hour currentHourStart=2026-03-30T14:00:00.000Z (repository=local)
DEBUG: 0 PRs have been created so far in this hour. (repository=local)
DEBUG: HourlyPRs count = 0 (repository=local)
DEBUG: Calculating commits so far in this hour currentHourStart=2026-03-30T14:00:00.000Z (repository=local)
DEBUG: 0 commits so far in this hour. (repository=local)
DEBUG: HourlyCommits count = 0 (repository=local)
DEBUG: syncBranchState() (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: syncBranchState(): Branch cache not found, creating minimal branchState (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: branchExists=true (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: dependencyDashboardCheck=undefined (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Check for closed PR because recreating closed PRs is disabled. (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: prAlreadyExisted=false (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Open PR Count: 0, Existing Branch Count: 1, Hourly PR Count: 0, Hourly Commit Count: 0 (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: commitHourlyLimit of the upgrades present in this branch (repository=local, branch=renovate/actions-checkout-digest)
       "limits": [{"depName": "actions/checkout", "commitHourlyLimit": 0}]
DEBUG: commitHourlyLimit of this branch is unlimited, because at least one of the upgrade has it's commitHourlyLimit set to "No limit" ie. 0 or null (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Checking if PR has been edited (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Checking schedule(schedule=at any time, tz=null, now=2026-03-30T14:25:07.239Z) (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: No schedule defined (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Converting rebaseWhen=auto to rebaseWhen=conflicted because no rule for behind-base-branch applies (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Branch already exists (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Skipping behind base branch check due to rebaseWhen=conflicted (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Branch does not need rebasing (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: Using reuseExistingBranch: true (repository=local, branch=renovate/actions-checkout-digest)
DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=true (repository=local, branch=renovate/actions-checkout-digest)
 WARN: Error updating branch (repository=local, branch=renovate/actions-checkout-digest)
       "err": {
         "message": "Cannot sync git when platform=local",
         "stack": "Error: Cannot sync git when platform=local\n    at file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/util/git/index.ts:413:13\n    at instrument.attributes.attributes (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/instrumentation/with-instrumenting.ts:41:35)\n    at file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/instrumentation/index.ts:184:19\n    at AsyncLocalStorage.run (node:internal/async_local_storage/async_context_frame:63:14)\n    at AsyncLocalStorageContextManager.with (/Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/@opentelemetry/context-async-hooks/src/AsyncLocalStorageContextManager.ts:29:36)\n    at ContextAPI.with (/Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/@opentelemetry/api/src/api/context.ts:77:42)\n    at Tracer.startActiveSpan (/Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/@opentelemetry/sdk-trace-base/src/Tracer.ts:249:28)\n    at instrument (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/instrumentation/index.ts:182:22)\n    at file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/instrumentation/with-instrumenting.ts:41:12\n    at getFile (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/util/git/index.ts:1105:9)\n    at getFileContent (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/update/branch/get-updated.ts:34:25)\n    at getUpdatedPackageFiles (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/update/branch/get-updated.ts:120:38)\n    at processBranch (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/update/branch/index.ts:605:25)\n    at processTicksAndRejections (node:internal/process/task_queues:104:5)\n    at instrument.attributes (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/process/write.ts:187:21)\n    at writeUpdates (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/process/write.ts:160:17)\n    at update (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/process/extract-update.ts:253:11)\n    at renovateRepository (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/repository/index.ts:143:19)\n    at instrument.attributes (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/global/index.ts:219:11)\n    at start (file:///Users/shaan/.npm/_npx/59c0475bfd22776c/node_modules/renovate/lib/workers/global/index.ts:204:7)"
       }
DEBUG: Existing config file no longer exists (repository=local)
DEBUG: Got file list using git (repository=local)
DEBUG: Found renovate.json config file (repository=local)
DEBUG: Repository config (repository=local)
       "fileName": "renovate.json",
       "config": {
         "$schema": "https://docs.renovatebot.com/renovate-schema.json",
         "extends": ["config:recommended"]
       }
DEBUG: Config does not need migration (repository=local)
DEBUG: ensureDependencyDashboard() (repository=local)
DEBUG: Ensuring Dependency Dashboard (repository=local)
DEBUG: Checking packageFiles for deprecated or replacement packages (repository=local)
 INFO: DRY-RUN: Would ensure Dependency Dashboard (repository=local)
       "title": "Dependency Dashboard"
DEBUG: checkReconfigureBranch() (repository=local)
DEBUG: Not attempting to reconfigure when running with local platform (repository=local)
DEBUG: Removing any stale branches (repository=local)
DEBUG: config.repoIsOnboarded=true (repository=local)
DEBUG: No defaultBranch set - skipping branch pruning (repository=local)
 INFO: DRY-RUN: Would save repository cache. (repository=local)
DEBUG: PackageFiles.clear() - Package files deleted (repository=local)
DEBUG: Branch summary (repository=local)
       "cacheModified": undefined,
       "baseBranches": [{"branchName": "", "sha": null}],
       "branches": [],
       "defaultBranch": "",
       "inactiveBranches": ["renovate/actions-checkout-digest"]
DEBUG: branches info extended (repository=local)
       "branchesInformation": [
         {
           "branchName": "renovate/actions-checkout-digest",
           "prNo": null,
           "prTitle": "Update actions/checkout digest to 0c366fd",
           "result": "error",
           "upgrades": [
             {
               "datasource": "github-tags",
               "depName": "actions/checkout",
               "displayPending": "",
               "currentDigest": "033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1",
               "newDigest": "0c366fd6a839edf440554fa01a7085ccba70ac98",
               "packageFile": ".github/workflows/ci.yml",
               "updateType": "digest",
               "packageName": "actions/checkout"
             },
             {
               "datasource": "github-tags",
               "depName": "actions/checkout",
               "displayPending": "",
               "currentDigest": "ee0669bd1cc54295c223e0bb666b733df41de1c5",
               "newDigest": "0c366fd6a839edf440554fa01a7085ccba70ac98",
               "packageFile": ".github/workflows/ci.yml",
               "updateType": "digest",
               "packageName": "actions/checkout"
             }
           ]
         }
       ]
DEBUG: Renovate repository PR statistics (repository=local)
       "stats": {"total": 0, "open": 0, "closed": 0, "merged": 0}
DEBUG: Repository result: done, status: onboarded, enabled: true, onboarded: true (repository=local)
DEBUG: repository problems (repository=local)
       "repoProblems": ["⚠️ WARN: Error updating branch"]
DEBUG: Repository timing splits (milliseconds) (repository=local)
       "splits": {"init": 376, "onboarding": 0, "extract": 110, "lookup": 396, "update": 25},
       "total": 919
DEBUG: Package cache statistics (repository=local)
       "get": {"count": 0, "avgMs": 0, "medianMs": 0, "maxMs": 0, "totalMs": 0},
       "set": {"count": 0, "avgMs": 0, "medianMs": 0, "maxMs": 0, "totalMs": 0}
DEBUG: HTTP statistics (repository=local)
       "hosts": {
         "api.github.com": {
           "count": 2,
           "reqAvgMs": 343,
           "reqMedianMs": 345,
           "reqMaxMs": 345,
           "queueAvgMs": 5,
           "queueMedianMs": 8,
           "queueMaxMs": 8
         }
       },
       "requests": 2
DEBUG: HTTP cache statistics (repository=local)
       "https://api.github.com": {"/repos/actions/checkout/commits": {"hit": 0, "miss": 2}}
DEBUG: Lookup statistics (repository=local)
       "github-tags": {"count": 2, "avgMs": 358, "medianMs": 359, "maxMs": 359, "totalMs": 715}
DEBUG: Cache fallback URLs (repository=local)
       "count": 0,
       "hits": {}
DEBUG: Git operations statistics (repository=local)
 INFO: Repository finished (repository=local)
       "cloned": undefined,
       "durationMs": 919,
       "result": "done",
       "status": "onboarded",
       "enabled": true,
       "onboarded": true
DEBUG: Checking file package cache for expired items
DEBUG: Deleted 0 of 0 file cached entries in 5ms
 INFO: Renovate is exiting with a non-zero code due to the following logged errors
       "loggerErrors": [
         {
           "name": "renovate",
           "level": 50,
           "logContext": "775b1c5b-0cdc-4916-8de1-360dd4a8aa08",
           "versions": {
             "node": "25.8.1",
             "acorn": "8.16.0",
             "ada": "3.4.3",
             "amaro": "1.1.8",
             "ares": "1.34.6",
             "brotli": "1.2.0",
             "cldr": "48.0",
             "icu": "78.3",
             "lief": "0.17.0",
             "llhttp": "9.3.1",
             "merve": "1.2.0",
             "modules": "141",
             "napi": "10",
             "nbytes": "0.1.3",
             "ncrypto": "0.0.1",
             "nghttp2": "1.68.1",
             "nghttp3": "",
             "ngtcp2": "",
             "openssl": "3.6.1",
             "simdjson": "4.4.2",
             "simdutf": "7.3.3",
             "sqlite": "3.51.3",
             "tz": "2026a",
             "undici": "7.22.0",
             "unicode": "17.0",
             "uv": "1.52.1",
             "uvwasi": "0.0.23",
             "v8": "14.1.146.11-node.21",
             "zlib": "1.2.12",
             "zstd": "1.5.7"
           },
           "range": "^24.11.0",
           "msg": "Unsupported node environment detected. Please update your node version."
         }
       ]

Answered by shaanmajid

Apr 7, 2026

This was fixed (following the disabled approach) in #42398

View full answer

shaanmajid · 2026-03-30T14:41:21Z

shaanmajid
Mar 30, 2026
Author

I would expect naked SHA pins to receive skipReason: 'unspecified-version' at extraction time. Without a version comment, Renovate has no branch/tag context to determine what "updated" means for the digest.

Happy to create a fix PR if this is indeed a bug. Came across this during development of #41683

3 replies

jamietanna Mar 30, 2026
Maintainer

I think that's reasonable that we shouldn't attempt to update - cc @viceice @RahulGautamSingh any thoughts against changing this behaviour to use i.e. unspecified-version? (Or a similar skipReason)?

viceice Mar 30, 2026
Maintainer

I think we should instead set those to disabled, so users can enable again via package rules. like we do for indirect go deps

RahulGautamSingh Mar 31, 2026
Collaborator

I agree with the disabled approach as it let's users have control over what happens while setting unspecified-version prevents them from enabling the updates later if they want it for some reason.

shaanmajid · 2026-04-07T18:38:21Z

shaanmajid
Apr 7, 2026
Author

This was fixed (following the disabled approach) in #42398

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Naked GitHub Actions SHA digest updates resolve to default branch HEAD instead of pinned branch #42245

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Naked GitHub Actions SHA digest updates resolve to default branch HEAD instead of pinned branch #42245

Uh oh!

shaanmajid Mar 30, 2026

How are you running Renovate?

Which platform you running Renovate on?

Which version of Renovate are you using?

Please tell us more about your question or problem

MRE

Logs (if relevant)

Replies: 2 comments · 3 replies

Uh oh!

Uh oh!

shaanmajid Mar 30, 2026 Author

Uh oh!

jamietanna Mar 30, 2026 Maintainer

Uh oh!

viceice Mar 30, 2026 Maintainer

Uh oh!

RahulGautamSingh Mar 31, 2026 Collaborator

Uh oh!

shaanmajid Apr 7, 2026 Author

shaanmajid
Mar 30, 2026

Replies: 2 comments 3 replies

shaanmajid
Mar 30, 2026
Author

jamietanna Mar 30, 2026
Maintainer

viceice Mar 30, 2026
Maintainer

RahulGautamSingh Mar 31, 2026
Collaborator

shaanmajid
Apr 7, 2026
Author