Problem
action.yaml uses actions/cache@v5 (tag reference) in two composite action steps. Organizations with policies requiring all GitHub Actions to be pinned to full-length commit SHAs cannot use flutter-action, because GitHub validates uses: references inside composite actions at download time — regardless of whether the cache steps would actually execute at runtime.
Error: The action actions/cache@v5 is not allowed because all actions must be pinned to a full-length commit SHA
This affects any organization that enforces the "Require full length commit SHA" policy.
Affected lines in action.yaml
- Line ~82:
uses: actions/cache@v5 (Cache Flutter)
- Line ~89:
uses: actions/cache@v5 (Cache pub dependencies)
Suggested fix
Replace the tag references with pinned SHAs:
# Before
uses: actions/cache@v5
# After (example using v4.2.3)
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
This is a minimal change that does not affect functionality and unblocks organizations with SHA-pinning policies.
Problem
action.yamlusesactions/cache@v5(tag reference) in two composite action steps. Organizations with policies requiring all GitHub Actions to be pinned to full-length commit SHAs cannot useflutter-action, because GitHub validatesuses:references inside composite actions at download time — regardless of whether the cache steps would actually execute at runtime.This affects any organization that enforces the "Require full length commit SHA" policy.
Affected lines in action.yaml
uses: actions/cache@v5(Cache Flutter)uses: actions/cache@v5(Cache pub dependencies)Suggested fix
Replace the tag references with pinned SHAs:
This is a minimal change that does not affect functionality and unblocks organizations with SHA-pinning policies.