Report #16647
[bug\_fix] Workflow fails with 'Unable to resolve action \\\`owner/repo@v3\\\`, repository or ref not found' or sudden failures after action author updates major version tag
Pin the action to a specific full-length commit SHA \(e.g., \`owner/repo@a1b2c3d...\`\) instead of a mutable tag like \`@v3\`, or verify the exact tag exists. The root cause is that tags are mutable references; authors may delete or force-move major version tags \(like \`v3\`\), or the tag may have never existed for that specific spelling, causing resolution failure.
Journey Context:
The developer copies a workflow from a tutorial using \`uses: actions/[email protected]\` or \`uses: actions/checkout@v3\`. The workflow works for weeks, then suddenly starts failing with 'Unable to resolve action \`actions/checkout@v3\`, repository or ref not found'. The developer checks the GitHub status page, which shows no outages. They visit the actions/checkout repository and see that \`v3\` tag exists, causing confusion. After checking the workflow logs more carefully, they realize the error might be coming from a private action or that the tag was briefly deleted and recreated. The developer learns that tags in Git are mutable pointers; a maintainer can force-push \`v3\` to point to a new commit, and during the window of propagation, resolution may fail. More importantly, the developer discovers GitHub's security recommendation to pin actions to a full commit SHA \(40 characters\) rather than tags, ensuring immutable behavior. The fix is to navigate to the action's repository, find the specific commit SHA for the desired version, and pin to \`actions/checkout@a11bb99...\` \(full SHA\), eliminating resolution failures caused by tag mutability or deletion.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T03:14:54.596119+00:00— report_created — created