Security: pin GitHub Actions to SHA hashes#80
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
The PR successfully pins all GitHub Actions to commit SHAs to prevent supply chain attacks. However, it should not be merged in its current state due to a major compatibility regression. The chosen SHA for actions/github-script corresponds to v2.0.0, which does not support the github-token input and uses a deprecated Node.js runtime. This will cause authentication failures in the workflows. Additionally, several scripts remain vulnerable to code injection through direct context interpolation. These functional and security issues must be addressed before approval.
About this PR
- The PR pins
actions/github-scriptto a version (v2.0.0) that is too old for the current workflow requirements. This version mismatch is present in every workflow file using this action and requires a synchronized upgrade to a modern version (v7+).
Test suggestions
- Verify all occurrences of actions/github-script are updated to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
- Verify all occurrences of atlassian/gajira-login are updated to SHA 90a599561baaf8c05b080645ed73db7391c246ed.
- Verify atlassian/gajira-create is updated to SHA c0a9c69ac9d6aa063fed57201e55336ada860183.
- Verify atlassian/gajira-comment is updated to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203.
🗒️ Improve review quality by adding custom instructions
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.