From 2055d5d1c2d23e7099230645467e372ae59972d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Wed, 1 Oct 2025 21:20:14 -0400 Subject: [PATCH 01/12] feat(run-digger-action): allow specifying digger version explicitly --- action.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/action.yml b/action.yml index ae40c1a64..d4a92df06 100644 --- a/action.yml +++ b/action.yml @@ -232,6 +232,10 @@ inputs: description: "(orchestrator only) the spec to pass onto digger cli" required: false default: "" + digger-version: + description: "Version of digger CLI to install. Overrides the version derived from the actionref" + required: false + default: "" outputs: output: @@ -257,7 +261,7 @@ runs: exit 1 shell: bash if: inputs.setup-google-cloud == 'true' - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: clean: false ref: refs/pull/${{ github.event.issue.number }}/merge @@ -434,7 +438,7 @@ runs: shell: bash - name: build and run digger - if: ${{ !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{ inputs.digger-version == "" && !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} shell: bash env: PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} @@ -486,9 +490,9 @@ runs: digger - name: run digger - if: ${{ startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{( inputs.digger-version != "" || startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} env: - actionref: ${{ github.action_ref }} + DIGGER_VERSION: ${{ inputs.digger-version || github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} PLAN_UPLOAD_S3_ENCRYPTION_ENABLED: ${{ inputs.upload-plan-destination-s3-encryption-enabled }} PLAN_UPLOAD_S3_ENCRYPTION_TYPE: ${{ inputs.upload-plan-destination-s3-encryption-type }} @@ -525,16 +529,16 @@ runs: set -euo pipefail echo "🔧 Downloading Digger CLI..." - echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Action Ref: ${actionref}" + echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Digger Version: ${DIGGER_VERSION}" if [[ ${{ inputs.ee }} == "true" ]]; then if [[ ${{ inputs.fips }} == "true" ]]; then - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" fi else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-cli-${{ runner.os }}-${{ runner.arch }}" fi echo "Downloading from: $DOWNLOAD_URL" @@ -543,12 +547,12 @@ runs: echo "Failed to download Digger CLI from $DOWNLOAD_URL" echo "" echo "Possible reasons:" - echo "1. The release ${actionref} might not exist" + echo "1. The release ${DIGGER_VERSION} might not exist" echo "2. Binary for ${{ runner.os }}-${{ runner.arch }} might not be available" echo "3. Network connectivity issues" echo "" echo "Suggestions:" - echo "- Check if release ${actionref} exists at: https://github.com/diggerhq/digger/releases" + echo "- Check if release ${DIGGER_VERSION} exists at: https://github.com/diggerhq/digger/releases" echo "- Verify the architecture combination is supported" echo "- Try using a different release version" exit 1 @@ -574,7 +578,7 @@ runs: - name: run digger in local dev mode if: ${{ inputs.local-dev-mode == 'true' }} env: - actionref: ${{ github.action_ref }} + DIGGER_VERSION: ${{ github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} PLAN_UPLOAD_S3_ENCRYPTION_ENABLED: ${{ inputs.upload-plan-destination-s3-encryption-enabled }} PLAN_UPLOAD_S3_ENCRYPTION_TYPE: ${{ inputs.upload-plan-destination-s3-encryption-type }} From 8bd1383142a096771199ce80a78048f5ef98e19e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Wed, 1 Oct 2025 21:25:16 -0400 Subject: [PATCH 02/12] fix double quote comparison --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index d4a92df06..c43486670 100644 --- a/action.yml +++ b/action.yml @@ -438,7 +438,7 @@ runs: shell: bash - name: build and run digger - if: ${{ inputs.digger-version == "" && !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} shell: bash env: PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} @@ -490,7 +490,7 @@ runs: digger - name: run digger - if: ${{( inputs.digger-version != "" || startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{( inputs.digger-version != '' || startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} env: DIGGER_VERSION: ${{ inputs.digger-version || github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} From 835c56dd954363eeb1914bd47af61adbaa661466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Wed, 1 Oct 2025 21:37:58 -0400 Subject: [PATCH 03/12] balance parens --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index c43486670..b39e14eff 100644 --- a/action.yml +++ b/action.yml @@ -490,7 +490,7 @@ runs: digger - name: run digger - if: ${{( inputs.digger-version != '' || startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{( inputs.digger-version != '' || startsWith(github.action_ref, 'v')) && inputs.local-dev-mode == 'false' }} env: DIGGER_VERSION: ${{ inputs.digger-version || github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} From 0f2d4bb33e2421ab4c69aabb8cb370e60cf4f199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Wed, 1 Oct 2025 21:41:41 -0400 Subject: [PATCH 04/12] use ${{ env.DIGGER_VERSION }} so version shows in script --- action.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/action.yml b/action.yml index b39e14eff..1277b393e 100644 --- a/action.yml +++ b/action.yml @@ -529,16 +529,16 @@ runs: set -euo pipefail echo "🔧 Downloading Digger CLI..." - echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Digger Version: ${DIGGER_VERSION}" + echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Digger Version: ${{ env.DIGGER_VERSION }}" if [[ ${{ inputs.ee }} == "true" ]]; then if [[ ${{ inputs.fips }} == "true" ]]; then - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" fi else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-cli-${{ runner.os }}-${{ runner.arch }}" fi echo "Downloading from: $DOWNLOAD_URL" @@ -547,12 +547,12 @@ runs: echo "Failed to download Digger CLI from $DOWNLOAD_URL" echo "" echo "Possible reasons:" - echo "1. The release ${DIGGER_VERSION} might not exist" + echo "1. The release ${{ env.DIGGER_VERSION }} might not exist" echo "2. Binary for ${{ runner.os }}-${{ runner.arch }} might not be available" echo "3. Network connectivity issues" echo "" echo "Suggestions:" - echo "- Check if release ${DIGGER_VERSION} exists at: https://github.com/diggerhq/digger/releases" + echo "- Check if release ${{ env.DIGGER_VERSION }} exists at: https://github.com/diggerhq/digger/releases" echo "- Verify the architecture combination is supported" echo "- Try using a different release version" exit 1 From 77d199c8554d8356732008dbaf638dae1a7fae92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Wed, 1 Oct 2025 21:45:45 -0400 Subject: [PATCH 05/12] skip go toolchain steps --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 1277b393e..c05ef1fc5 100644 --- a/action.yml +++ b/action.yml @@ -400,7 +400,7 @@ runs: with: go-version-file: "${{ github.action_path }}/cli/go.mod" cache: false - if: ${{ !startsWith(github.action_ref, 'v') }} + if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} - name: Determine Golang cache paths id: golang-env @@ -408,7 +408,7 @@ runs: echo "build-cache-path=$(go env GOCACHE)" >>"$GITHUB_OUTPUT" echo "module-cache-path=$(go env GOMODCACHE)" >>"$GITHUB_OUTPUT" shell: bash - if: ${{ !startsWith(github.action_ref, 'v') }} + if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} - name: Copy Digger CLI go.sum for cache key run: | @@ -420,7 +420,7 @@ runs: cp "$GITHUB_ACTION_PATH/cli/go.sum" "$GITHUB_WORKSPACE/.digger.go.sum" fi shell: bash - if: ${{ !startsWith(github.action_ref, 'v') }} + if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} - name: Adding required env vars for next step uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 From c3a692aaa596a776457edbf312a59e790596cd89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 09:09:51 -0400 Subject: [PATCH 06/12] clarify binary conditions --- action.yml | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index c05ef1fc5..35a4eb545 100644 --- a/action.yml +++ b/action.yml @@ -249,6 +249,23 @@ runs: run: echo digger run ${{ inputs.id }} shell: bash + - name: Determine binary mode (local, build, or pre-built) + id: determine-binary-mode + env: + LOCAL_DEV_MODE: ${{ inputs.local-dev-mode }} + INPUT_DIGGER_VERSION: ${{ inputs.digger-version }} + ACTION_REF: ${{ github.action_ref }} + run: | + if [[ "$LOCAL_DEV_MODE" == "true" ]]; then + BINARY_MODE="local" + elif [[ -n "$INPUT_DIGGER_VERSION" || "$ACTION_REF" == v* ]]; then + BINARY_MODE="prebuilt" + else + BINARY_MODE="build" + fi + echo "binary-mode=${BINARY_MODE}" >> ${GITHUB_OUTPUT} + shell: bash + - name: Validate Input Configuration for Google run: | if [[ -z ${{ toJSON(inputs.google-auth-credentials) }} && -z "${{ inputs.google-workload-identity-provider }}" ]]; then @@ -400,7 +417,7 @@ runs: with: go-version-file: "${{ github.action_path }}/cli/go.mod" cache: false - if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} + if: ${{ steps.determine-binary-mode.outputs.binary-mode != 'prebuilt' }} - name: Determine Golang cache paths id: golang-env @@ -408,7 +425,7 @@ runs: echo "build-cache-path=$(go env GOCACHE)" >>"$GITHUB_OUTPUT" echo "module-cache-path=$(go env GOMODCACHE)" >>"$GITHUB_OUTPUT" shell: bash - if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} + if: ${{ steps.determine-binary-mode.outputs.binary-mode != 'prebuilt' }} - name: Copy Digger CLI go.sum for cache key run: | @@ -420,7 +437,7 @@ runs: cp "$GITHUB_ACTION_PATH/cli/go.sum" "$GITHUB_WORKSPACE/.digger.go.sum" fi shell: bash - if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') }} + if: ${{ steps.determine-binary-mode.outputs.binary-mode != 'prebuilt' }} - name: Adding required env vars for next step uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 @@ -438,7 +455,7 @@ runs: shell: bash - name: build and run digger - if: ${{ inputs.digger-version == '' && !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }} + if: ${{ steps.determine-binary-mode.outputs.binary-mode == 'build' }} shell: bash env: PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} @@ -489,8 +506,8 @@ runs: cd $GITHUB_WORKSPACE digger - - name: run digger - if: ${{( inputs.digger-version != '' || startsWith(github.action_ref, 'v')) && inputs.local-dev-mode == 'false' }} + - name: download, install, and run digger + if: ${{ steps.determine-binary-mode.outputs.binary-mode == 'prebuilt' }} env: DIGGER_VERSION: ${{ inputs.digger-version || github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} @@ -576,7 +593,7 @@ runs: digger - name: run digger in local dev mode - if: ${{ inputs.local-dev-mode == 'true' }} + if: ${{ steps.determine-binary-mode.outputs.binary-mode == 'local' }} env: DIGGER_VERSION: ${{ github.action_ref }} PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }} From 0f9e748ce4c655ff4a47a434d280848acabf2079 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 09:13:58 -0400 Subject: [PATCH 07/12] add comments for each mode --- action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 35a4eb545..542402b41 100644 --- a/action.yml +++ b/action.yml @@ -257,11 +257,11 @@ runs: ACTION_REF: ${{ github.action_ref }} run: | if [[ "$LOCAL_DEV_MODE" == "true" ]]; then - BINARY_MODE="local" + BINARY_MODE="local" # Use locally compiled binary (for development) elif [[ -n "$INPUT_DIGGER_VERSION" || "$ACTION_REF" == v* ]]; then - BINARY_MODE="prebuilt" + BINARY_MODE="prebuilt" # Install prebuilt binary from release else - BINARY_MODE="build" + BINARY_MODE="build" # Build from source at runtime fi echo "binary-mode=${BINARY_MODE}" >> ${GITHUB_OUTPUT} shell: bash From e3502d97e7dee63e8bb267f00783d0a1e54f322b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 18:27:06 -0400 Subject: [PATCH 08/12] update versioning docs --- action.yml | 2 +- docs/ce/howto/versioning.mdx | 60 ++++++++++++++++++++++-------------- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/action.yml b/action.yml index 542402b41..970508d09 100644 --- a/action.yml +++ b/action.yml @@ -233,7 +233,7 @@ inputs: required: false default: "" digger-version: - description: "Version of digger CLI to install. Overrides the version derived from the actionref" + description: "Version of digger CLI to install. Overrides the version derived from the github.action_ref." required: false default: "" diff --git a/docs/ce/howto/versioning.mdx b/docs/ce/howto/versioning.mdx index a3335615d..ca8e154f2 100644 --- a/docs/ce/howto/versioning.mdx +++ b/docs/ce/howto/versioning.mdx @@ -1,50 +1,64 @@ --- -title: "Specifying version" -description: "For serious usecases always use a pinned version which is of the form @vX.Y.Z since this will download a compiled binary. In addition to being faster to run, it is also more secure than using a commit from a branch" +title: "Specifying Version" --- - For serious usecases always use a pinned version which is of the form @vX.Y.Z - since this will download a compiled binary. In addition to being faster to run, it - is also more secure than using a commit from a branch + For production use cases it is best to pin the version of the action with the commit hash (e.g. `-uses: diggerhq/digger@`) of the desired release + AND specify the `digger-version` input to be a tagged release (`vX.Y.Z`). + + This provides the security of ensuring the same action code is executed each time with the performance of using a pre-compiled Digger binary. -## Use vLatest tag +## Commit Hash + digger-version input (Production recommendation) + +For production usage, we recommend pinning the action to the commit hash of a released version AND specifying a Digger CLI version via the `digger-version` input. -The default and recommended way of versioning Digger is to use the vLatest tag, which always points to the latest release. The difference compared to just specifying "latest" is that it is a release with pre-built binaries, so it is faster than building from a branch, which using "latest" effectively does. +Specifying the action commit hash is the only way to ensure the same version of a GitHub Action is executed each time and helps protect against supply chain attacks such as [CVE-2025-30066](https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066). + +The `digger-version` input enables pinning to the hash while ALSO using a pre-built Digger cli binary. ``` - name: digger - uses: diggerhq/digger@vX.Y.Z - env: - ... + uses: diggerhq/digger@ # vX.Y.Z + with: + digger-version: vX.Y.Z ``` -## Use a pinned version +## vLatest (Convenient auto-upgrades) -To pin a specific release of Digger, you can use `@vX.Y.Z` tag in your workflow file: +For non-production use cases, you can specify the `vLatest` tag to use the latest tagged release for the digger action and the Digger CLI. + +The difference compared to just specifying "latest" is that it is a release with pre-built binaries, so it is faster than building from a branch, which using "latest" effectively does. ``` - name: digger - uses: diggerhq/digger@vX.Y.Z - env: - ... + uses: diggerhq/digger@vLatest ``` -## Use latest commit from a branch +## vX.Y.Z (Simple and stable) + +If you aren't worried about supply chain attacks but want stability of using a specific release, you can pin the action to a specific release of Digger. + +This will infer the Digger cli version to use based on the version of the action using `github.action_ref` and install the corresponding pre-built binary. + +``` +- name: digger + uses: diggerhq/digger@vX.Y.Z +``` -You can also run latest commit from a specific branch +## Commit Hash Only (Build a specific CLI version from source at runtime) -Only use this at your own risk in non-production scenarios. This can break things! +If you want to use an unreleased version of the Digger CLI (e.g. test something on a feature branch or a yet to be released commit from `develop`), +you can specify the action with that commit hash AND omit the `digger-version` input. - Only use this at your own risk in non-production scenarios. This can break - things! + Only use this at your own risk in non-production scenarios. This can break things! ``` - name: digger - uses: diggerhq/digger@yolo-lets-do-it - env: - ... + uses: diggerhq/digger@ + with: + # OMIT THE digger-version INPUT + # digger-input: "" ``` From 4847dad3119e60e88792502f906bb24bd7d0f78f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 20:10:06 -0400 Subject: [PATCH 09/12] use bash ${VAR} instead of ${{env.VAR}} --- action.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/action.yml b/action.yml index 970508d09..16d0ae954 100644 --- a/action.yml +++ b/action.yml @@ -546,16 +546,16 @@ runs: set -euo pipefail echo "🔧 Downloading Digger CLI..." - echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Digger Version: ${{ env.DIGGER_VERSION }}" + echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Digger Version: ${DIGGER_VERSION}" if [[ ${{ inputs.ee }} == "true" ]]; then if [[ ${{ inputs.fips }} == "true" ]]; then - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips" else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}" fi else - DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${{ env.DIGGER_VERSION }}/digger-cli-${{ runner.os }}-${{ runner.arch }}" + DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${DIGGER_VERSION}/digger-cli-${{ runner.os }}-${{ runner.arch }}" fi echo "Downloading from: $DOWNLOAD_URL" @@ -564,12 +564,12 @@ runs: echo "Failed to download Digger CLI from $DOWNLOAD_URL" echo "" echo "Possible reasons:" - echo "1. The release ${{ env.DIGGER_VERSION }} might not exist" + echo "1. The release ${DIGGER_VERSION} might not exist" echo "2. Binary for ${{ runner.os }}-${{ runner.arch }} might not be available" echo "3. Network connectivity issues" echo "" echo "Suggestions:" - echo "- Check if release ${{ env.DIGGER_VERSION }} exists at: https://github.com/diggerhq/digger/releases" + echo "- Check if release ${DIGGER_VERSION} exists at: https://github.com/diggerhq/digger/releases" echo "- Verify the architecture combination is supported" echo "- Try using a different release version" exit 1 From 8c85a77b2e4c8acef72f95b80beb0c3cdabaeb81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 20:23:09 -0400 Subject: [PATCH 10/12] validate digger-version input --- action.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/action.yml b/action.yml index 16d0ae954..6a18e5f34 100644 --- a/action.yml +++ b/action.yml @@ -256,6 +256,13 @@ runs: INPUT_DIGGER_VERSION: ${{ inputs.digger-version }} ACTION_REF: ${{ github.action_ref }} run: | + set -euo pipefail + + if [[ ! ( -z "$INPUT_DIGGER_VERSION" || "$INPUT_DIGGER_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ) ]]; then + echo "::error::Invalid digger-version input: ${INPUT_DIGGER_VERSION}. Must be empty string or match vX.Y.Z" + exit 1 + fi + if [[ "$LOCAL_DEV_MODE" == "true" ]]; then BINARY_MODE="local" # Use locally compiled binary (for development) elif [[ -n "$INPUT_DIGGER_VERSION" || "$ACTION_REF" == v* ]]; then From 7e4f6d2a3d4b2b33372cad9124c13fd4bf30d20c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 20:26:31 -0400 Subject: [PATCH 11/12] make description more explicit --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 6a18e5f34..44d859fc1 100644 --- a/action.yml +++ b/action.yml @@ -233,7 +233,7 @@ inputs: required: false default: "" digger-version: - description: "Version of digger CLI to install. Overrides the version derived from the github.action_ref." + description: "Pre-compiled version of digger CLI to install. Must correspond to a valid release tag (vX.Y.Z). This value overrides the version derived from the github.action_ref." required: false default: "" From 5ae0c2d03e2163cc729ed9cb1441b419fe1fc922 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CSid?= Date: Thu, 2 Oct 2025 21:15:59 -0400 Subject: [PATCH 12/12] fix variable reference --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 44d859fc1..d0abd396a 100644 --- a/action.yml +++ b/action.yml @@ -259,7 +259,7 @@ runs: set -euo pipefail if [[ ! ( -z "$INPUT_DIGGER_VERSION" || "$INPUT_DIGGER_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ) ]]; then - echo "::error::Invalid digger-version input: ${INPUT_DIGGER_VERSION}. Must be empty string or match vX.Y.Z" + echo "::error::Invalid digger-version input $INPUT_DIGGER_VERSION. Must be empty string or match vX.Y.Z" exit 1 fi