How do I pin an action to a specific SHA?

A warning is appearing in my IDE indicating that my action should be pinned to a specific SHA. I understand SHAs from Git commits, but how do I track down the SHA for GitHub Actions?

Fake Example: mycoderepo/mylibrary-action@v2

Real Example: github/codeql-action/upload-sarif@v3

This is what I found on GitHub regarding the secure use of third-party actions:

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

The action name is simply a pointer to a GitHub repository under a GitHub organization. The first part of the name before / is the organization, whereas the second part is the repo:

• actions/checkout@v3 is located at https://github.com/actions/checkout (user: actions, repo: checkout)

Longer paths represent folders inside the repo:

• github/codeql-action/upload-sarif@v3 is located at https://github.com/github/codeql-action/blob/main/upload-sarif/

The remaining portion of the name prefixed by a @ represents the commit identifier. It is generally in the form of a tag @v3 but it could also be a specific SHA:

• actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

In fact, a tag is simply a pointer to a specific SHA:

• actions/checkout@v3 points to actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744

To detect the specific SHA, you simply need to:

1. Determine the appropriate repo name, from the action (as explained above)
2. Visit the repo on GitHub
3. Click on the branch/tag switcher to locate the tag you are interested in
4. Copy the short (or full) SHA from the referenced commit