Security: pin GitHub Actions to SHA hashes#353
Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This pull request is currently not up to standards. While the objective is to enhance security by pinning GitHub Actions to immutable SHA hashes, the current implementation introduces a critical security vulnerability in the auto-merge.yml workflow by combining pull_request_target with a checkout of the PR head. This pattern can allow untrusted code to access repository secrets. Additionally, the implementation is incomplete: the actions/checkout pinning uses an outdated SHA (v2.0.0 instead of v2.7.0), and the ahmadnassri/action-dependabot-auto-merge action remains unpinned. These issues must be addressed to fulfill the security goals of the PR.
About this PR
- The objective to pin all GitHub Actions to SHA hashes has not been fully met. One action in
.github/workflows/auto-merge.ymlremains unpinned, and another has been pinned to an older version than previously used, potentially introducing regressions.
Test suggestions
- Verify the 'auto-merge' workflow still triggers and executes successfully with pinned actions.
- Verify the 'comment_issue' workflow still triggers and executes successfully with pinned actions.
- Verify the 'create_issue' workflow still triggers and executes successfully with pinned actions.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify the 'auto-merge' workflow still triggers and executes successfully with pinned actions.
2. Verify the 'comment_issue' workflow still triggers and executes successfully with pinned actions.
3. Verify the 'create_issue' workflow still triggers and executes successfully with pinned actions.
🗒️ Improve review quality by adding custom instructions
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
Critical Security Risk: This workflow uses pull_request_target while checking out the head of the incoming pull request, which allows untrusted code to run with access to repository secrets.
Additionally, the SHA ee0669bd1cc54295c223e0bb666b733df41de1c5 pins the action to v2.0.0, but the rolling v2 tag previously used resolves to v2.7.0. This downgrade may re-introduce bugs. Suggest pinning to the latest SHA:
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 | |
| - uses: actions/checkout@f404e92900e2632f5255d1d573f51ba6f2a06a2e # v2.7.0 |
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| - uses: ahmadnassri/action-dependabot-auto-merge@v2 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The action ahmadnassri/action-dependabot-auto-merge@v2 is still using a mutable tag. It must be updated to an immutable SHA hash to satisfy the security requirements of this pull request.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
5861172 to
c018abd
Compare
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.