> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pullfrog.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Versions & pinning

Your workflow references the action with a `uses:` ref — almost always the moving major tag `pullfrog/pullfrog@v0`. This page explains what that ref does (and doesn't) pin, and how to pin to a commit SHA safely.

## How the action is versioned

The published action is a thin bootstrap. At runtime it pulls the real agent from npm at `^<version>` (the latest release in the current major line), so the agent itself is **always current** regardless of how you pin the `uses:` ref. The ref only fixes two things from the checked-out action:

* `action.yml` — the input/output contract.
* The `post:` cleanup step — a best-effort hook that runs after every job (it persists rotated credentials and surfaces run state).

`pullfrog/pullfrog@v0` tracks the latest `v0.x` release of both. This is what the console emits and what we recommend.

## Pinning to a commit SHA

GitHub's [security hardening guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) recommends pinning third-party actions to a full commit SHA, since tags are mutable. Tools like Dependabot, [StepSecurity](https://www.stepsecurity.io/), and `pin-github-action` apply this automatically, leaving the version as a comment:

```yaml theme={null}
uses: pullfrog/pullfrog@abc123… # v0
```

<Warning>
  A commit SHA is immutable, so it **freezes the `post:` cleanup step at that commit forever**. The agent still floats via npm, but a stale pin runs old cleanup code — and once an old enough revision ships an incompatible cleanup hook, every run flips to `failure` after the agent has already finished its work. The pin doesn't lock the behavior you care about (that comes from npm); it only freezes the wrapper.
</Warning>

If you pin a SHA, **keep it fresh** so the cleanup step stays current. Dependabot bumps both the SHA and the `# v0` comment automatically — add the GitHub Actions ecosystem to your config:

```yaml theme={null}
# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
```

## Which should I use?

| You want…                                    | Use                                                       |
| -------------------------------------------- | --------------------------------------------------------- |
| The simplest setup that always stays current | `pullfrog/pullfrog@v0`                                    |
| SHA pinning for a security policy            | a commit SHA **plus** Dependabot (above) to keep it fresh |

A bare commit SHA with no updater is the one combination to avoid — it's how the cleanup step goes stale.
