Replace tagged action with a commit hash

get-tag-commit.sh

#!/usr/bin/env bash

if ! type gh > /dev/null; then
  echo "github CLI (gh) must be installed"
  exit 1
fi

action=${1}
if [ -z "$action" ]; then
  echo "Replace a tagged action with a commit hash"
  echo
  echo "USAGE:"
  echo "  get-tag-commit.sh OWNER/REPO@TAG"
  echo
  echo "EXAMPLE:"
  echo "  get-tag-commit.sh r-lib/actions/check-r-package@v2"
  echo "  # r-lib/actions/check-r-package@14a7e741c1cb130261263aa1593718ba42cf443b #v2.11.2"
  echo
  exit 0

fi
FULL=${action/@*/}
# extract just the repo portion (in case of several actions in a single repo)
REPO=${action%*/*}
TAG=${action/*@/}

# First, we grab the SHA from the git ref tags.
SHA=$(gh api "repos/${REPO}/git/refs/tags/${TAG}" --jq '.object.sha')
if [ -z "$SHA" ]; then
  # This shouldn't happen, but if the first turns up empty, we can scan the tags
  SHA=$(gh api "repos/${REPO}/tags" --jq ".[] | select((.name==\"$TAG\")).commit.sha")
fi
# Get the real tag (not just floating tag) by searching through the tags for the SHA
VTAG=$(gh api "repos/${REPO}/tags" --jq "[.[] | select((.commit.sha==\"$SHA\")).name][0]")

echo "${FULL}@${SHA} #${VTAG/*tree\/}"

If you have ripgrep installed, you can use it like this from the top of your repository (I'm on a Mac, so this might work different on Linux):

ORG=actions
for i in $(rg uses: .github/workflows/ | sed -E 's/^.*uses..//' | sort | uniq | grep $ORG);
do sed -i "" -r -E "s_$(echo $i)_$(get-tag-commit.sh $i)_" .github/workflows/*yaml;
done

I've migrated this to a package: https://zkamvar.github.io/pinsha/