Support commit refs

action.yml

@@ -266,6 +266,35 @@ runs:
       with:
         clean: false
       if: ${{ github.event_name != 'issue_comment' && inputs.configure-checkout == 'true' }}
+
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      with:
+        clean: false
+        repository: ${{ env.action_repository }}
+        ref: ${{ env.action_ref }}
+        path: digger-action-repo
+      env:
+        action_repository: ${{ github.action_repository }}
+        action_ref: ${{ github.action_ref }}
+
+    - name: Get release tag
+      id: get_release_tag
+      shell: bash
+      working-directory: digger-action-repo
+      run: |
+        # Fetch tags
+        git fetch --prune --unshallow --tags
+        # Collect tags pointing exactly at this commit, sorted by version (highest first)
+        tags="$(git tag --points-at HEAD --sort=-v:refname || true)"
+        echo "Tags: $tags"
+        # Keep only tags that are SemVer starting with 'v' (e.g., v1.2.3, v1.2.3-rc.1, v1.2.3+meta)
+        semvers="$(printf '%s\n' "$tags" | grep -E "^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$" || true)"
+        echo "SemVers: $semvers"
+        # Pick the first (highest) match if any
+        tag="$(printf '%s\n' "$semvers" | head -n 1)"
+        echo "Tag: $tag"
+        echo "tag=$tag" >> "$GITHUB_OUTPUT"
+
     - name: Set up Google Auth Using A Service Account Key
       uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13
       with:
@@ -396,15 +425,15 @@ runs:
       with:
         go-version-file: "${{ github.action_path }}/cli/go.mod"
         cache: false
-      if: ${{ !startsWith(github.action_ref, 'v') }}
+      if: ${{ steps.get_release_tag.outputs.tag == '' }}
 
     - name: Determine Golang cache paths
       id: golang-env
       run: |
         echo "build-cache-path=$(go env GOCACHE)" >>"$GITHUB_OUTPUT"
         echo "module-cache-path=$(go env GOMODCACHE)" >>"$GITHUB_OUTPUT"
       shell: bash
-      if: ${{ !startsWith(github.action_ref, 'v') }}
+      if: ${{ steps.get_release_tag.outputs.tag == '' }}
 
     - name: Copy Digger CLI go.sum for cache key
       run: |
@@ -416,7 +445,7 @@ runs:
           cp "$GITHUB_ACTION_PATH/cli/go.sum" "$GITHUB_WORKSPACE/.digger.go.sum"
         fi
       shell: bash
-      if: ${{ !startsWith(github.action_ref, 'v') }}
+      if: ${{ steps.get_release_tag.outputs.tag == '' }}
 
     - name: Adding required env vars for next step
       uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
@@ -434,7 +463,7 @@ runs:
       shell: bash
 
     - name: build and run digger
-      if: ${{ !startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }}
+      if: ${{ steps.get_release_tag.outputs.tag == '' && inputs.local-dev-mode == 'false' }}
       shell: bash
       env:
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
@@ -486,9 +515,9 @@ runs:
         digger
 
     - name: run digger
-      if: ${{ startsWith(github.action_ref, 'v') && inputs.local-dev-mode == 'false' }}
+      if: ${{ steps.get_release_tag.outputs.tag != '' && inputs.local-dev-mode == 'false' }}
       env:
-        actionref: ${{ github.action_ref }}
+        tag: ${{ steps.get_release_tag.outputs.tag }}
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
         PLAN_UPLOAD_S3_ENCRYPTION_ENABLED: ${{ inputs.upload-plan-destination-s3-encryption-enabled }}
         PLAN_UPLOAD_S3_ENCRYPTION_TYPE: ${{ inputs.upload-plan-destination-s3-encryption-type }}
@@ -525,16 +554,16 @@ runs:
         set -euo pipefail
 
         echo "🔧 Downloading Digger CLI..."
-        echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Action Ref: ${actionref}"
+        echo "Runner OS: ${{ runner.os }}, Arch: ${{ runner.arch }}, Action Ref: ${tag}"
 
         if [[ ${{ inputs.ee }} == "true" ]]; then
           if [[ ${{ inputs.fips }} == "true" ]]; then
-            DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips"
+            DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${tag}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}-fips"
           else
-            DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}"
+            DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${tag}/digger-ee-cli-${{ runner.os }}-${{ runner.arch }}"
           fi
         else
-          DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${actionref}/digger-cli-${{ runner.os }}-${{ runner.arch }}"
+          DOWNLOAD_URL="https://github.com/diggerhq/digger/releases/download/${tag}/digger-cli-${{ runner.os }}-${{ runner.arch }}"
         fi
 
         echo "Downloading from: $DOWNLOAD_URL"
@@ -543,12 +572,12 @@ runs:
           echo "Failed to download Digger CLI from $DOWNLOAD_URL"
           echo ""
           echo "Possible reasons:"
-          echo "1. The release ${actionref} might not exist"
+          echo "1. The release ${tag} might not exist"
           echo "2. Binary for ${{ runner.os }}-${{ runner.arch }} might not be available"
           echo "3. Network connectivity issues"
           echo ""
           echo "Suggestions:"
-          echo "- Check if release ${actionref} exists at: https://github.com/diggerhq/digger/releases"
+          echo "- Check if release ${tag} exists at: https://github.com/diggerhq/digger/releases"
           echo "- Verify the architecture combination is supported"
           echo "- Try using a different release version"
           exit 1
@@ -574,7 +603,6 @@ runs:
     - name: run digger in local dev mode
       if: ${{ inputs.local-dev-mode == 'true' }}
       env:
-        actionref: ${{ github.action_ref }}
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
         PLAN_UPLOAD_S3_ENCRYPTION_ENABLED: ${{ inputs.upload-plan-destination-s3-encryption-enabled }}
         PLAN_UPLOAD_S3_ENCRYPTION_TYPE: ${{ inputs.upload-plan-destination-s3-encryption-type }}