I am trying to have a periodic action that checks for vulnerabilities in the latest release of my repo. The schedule event sets GITHUB_SHA and GITHUB_REF to the latest commit of the default branch, which is not what I want.

I've tried setting these env vars on the step but it seems to have no effect, it still ends up uploading as the latest commit on my default branch. Maybe GitHub doesn't allow these to be overridden. I tried doing a checkout of that tag in a prior step as well and it also had no effect.

If these action just had a commit_sha/ref input that'd be a simple enough workaround.