feat: add options to load the action from a specific repo/ref

[aduh95]

See https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Tested with https://github.com/nodejs/node-core-utils/actions/runs/15667322080/job/44133183235

It allows to use the action from a fork / on a specific commit. It shouldn't be a breaking change as the default is left unchanged.

[ljharb]

why would we want the repository to be overrideable?

[aduh95]

In the case of forks. I've used it to test this very PR

[dominykas]

There's a version script at the root that used to update this version during npm version: https://github.com/pkgjs/action/blob/main/package.json#L9 - not sure what's the best approach for it now.

[dominykas]

Additionally, when would github.ref not be set?

[aduh95]

Additionally, when would github.ref not be set?

As the docs say: This is only set if a branch or tag is available for the event type.
From my own testing, workflow_call leaves this undefined, although couldn't find where that's defined in the docs.

[dominykas]

What does github.repository refer to here? Would that not be the repository that sets uses: pkgjs/action, i.e. it will always try to check out the local copy (which probably won't exist), rather than the pkgjs/action itself?

I could be misinterpreting this, of course.

Additionally, when would github.repository not be set at all?

[aduh95]

What does github.repository refer to here?

On workflow_call: it's undefined. Otherwise, it's the name of the repo, as you can see in https://github.com/aduh95/action/actions/runs/15821306998, it takes the name of the fork.