Skip to content

autoupdate --freeze pins annotated tag object SHAs instead of commit SHAs #3645

Closed
Closed
autoupdate --freeze pins annotated tag object SHAs instead of commit SHAs#3645
@jezdez

Description

@jezdez
jezdez
opened on Mar 31, 2026

search you tried in the issue tracker

freeze annotated tag SHA commit, "tag object", "rev-parse dereference", "^{}", "freeze 404", "frozen dependabot same version", "git cat-file" object type, freeze "different sha" same version, "lightweight" annotated tag sha, freeze churn noise unnecessary, also checked #2250, #1533, #1744, #1957, #2010, #2311, #2312, #2366, #2610, #3047, #3052, #1925 -- none cover this

describe your issue

Apologies for the earlier ticket (#3644) -- that was poorly filed. Let me try again properly, I'm looking for clarification on whether this is intended behavior.

After running pre-commit autoupdate --freeze on a config with blacken-docs at rev 1.20.0, the frozen SHA is a tag object, not a commit:

$ pre-commit autoupdate --freeze
[https://github.com/adamchainz/blacken-docs] updating 1.20.0 -> 1.20.0 (frozen)

$ grep rev .pre-commit-config.yaml
    rev: dda8db18cfc68df532abf33b185ecd12d5b7b326  # frozen: 1.20.0

That SHA is the annotated tag object for 1.20.0, not the commit it points to. You can check via the GitHub API:

$ curl -s https://api.github.com/repos/adamchainz/blacken-docs/git/refs/tags/1.20.0 \
    | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['object']['type'])"
tag

The tag object dereferences to commit fda77690955e9b63c6687d8806bafd56a526e45f. Both resolve to the same tree, so checkout works fine. But the tag object SHA 404s on GitHub:

$ curl -s -o /dev/null -w "%{http_code}" https://github.com/adamchainz/blacken-docs/commit/dda8db18cfc68df532abf33b185ecd12d5b7b326
404

$ curl -s -o /dev/null -w "%{http_code}" https://github.com/adamchainz/blacken-docs/commit/fda77690955e9b63c6687d8806bafd56a526e45f
200

Same thing happens with check-jsonschema 0.37.1 (ed81924... is the tag object, 13614ab... is the commit).

This also causes Dependabot to produce PRs that change the SHA without changing the version, because Dependabot resolves to the commit SHA instead. See conda/conda#15820 for an example.

Is this intentional, or would it make sense for the freeze logic to dereference through tag objects?

pre-commit --version

pre-commit 4.5.1

.pre-commit-config.yaml

repos:
  - repo: https://github.com/adamchainz/blacken-docs
    rev: 1.20.0
    hooks:
      - id: blacken-docs
  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.37.0
    hooks:
      - id: check-github-workflows
      - id: check-dependabot

~/.cache/pre-commit/pre-commit.log (if present)

(not applicable)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions