Skip to content

Security: pin GitHub Actions to SHA hashes#30

Open
jorgebraz wants to merge 1 commit intomasterfrom
security/pin-actions-to-sha
Open

Security: pin GitHub Actions to SHA hashes#30
jorgebraz wants to merge 1 commit intomasterfrom
security/pin-actions-to-sha

Conversation

@jorgebraz
Copy link
Copy Markdown

@jorgebraz jorgebraz commented Mar 24, 2026

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Security: pin GitHub Actions to SHA hashes
92131e6 
Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
@codacy-production
Copy link
Copy Markdown

codacy-production bot commented Mar 24, 2026

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

@codacy-production codacy-production bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR successfully implements security best practices by pinning GitHub Actions to immutable SHA hashes across all workflow files. Codacy analysis indicates the changes are up to standards with no new quality issues. However, a high-severity logic error was identified in .github/workflows/comment_issue.yml. Step-level environment variables are being referenced in if conditions before they are initialized, which will result in these steps being skipped. This functional regression must be addressed before the PR can be merged.

Test suggestions

  • Verify all actions in .github/workflows/comment_issue.yml are pinned to SHAs
  • Verify all actions in .github/workflows/create_issue.yml are pinned to SHAs
  • Verify all actions in .github/workflows/create_issue_on_label.yml are pinned to SHAs

🗒️ Improve review quality by adding custom instructions

.github/workflows/comment_issue.yml
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
Copy link
Copy Markdown

@codacy-production codacy-production bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

This step (and subsequent ones) will never execute because the if condition references undefined environment variables. You must use the steps context directly in the if condition to access outputs from previous steps.

Try running the following prompt in your coding agent:

In .github/workflows/comment_issue.yml, update all if conditions to use steps.github_issue_type.outputs.result and steps.github_issue_has_jira_issue_label.outputs.result instead of referencing them via the env context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jorgebraz