docs: add Git SHA management guidelines to CLAUDE.md

jdalton · jdalton · commit b94a1086bd69 · 2025-10-03T07:39:41.000-04:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -428,6 +428,18 @@ Follow the [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format:
 - **test-ci**: `"dotenvx -q run -f .env.test -- vitest run"` - Tests without watch mode (no linting/building)
 - **type-ci**: `"pnpm run check:tsc"` - Type checking without emitting files
 
+### Git SHA Management (CRITICAL)
+- **🚨 NEVER GUESS OR MAKE UP GIT SHAs**: Always retrieve the exact full SHA using `git rev-parse`
+  - ✅ CORRECT: `cd /path/to/repo && git rev-parse HEAD` or `git rev-parse main`
+  - ❌ WRONG: Guessing the rest of a SHA after seeing only the short version (e.g., `43a668e1`)
+  - **Why this matters**: GitHub Actions workflow references require exact, full 40-character SHAs
+  - **Consequences of wrong SHA**: Workflow failures with "workflow was not found" errors
+- **Updating workflow SHA references**: When updating SHA references in workflow files:
+  1. Get the exact full SHA: `cd repo && git rev-parse HEAD`
+  2. Use the FULL 40-character SHA in sed commands
+  3. Verify the SHA exists: `git show <sha> --stat`
+- **Rationale**: Using incorrect SHAs breaks CI/CD pipelines and wastes debugging time
+
 ## Architecture
 
 This is a monorepo for Socket.dev optimized package overrides, built with JavaScript and managed with pnpm workspaces.
