Security: pin GitHub Actions to SHA hashes#242
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR improves security by pinning GitHub Actions to immutable SHAs, it also reveals critical security and logic issues in the modified workflows that should prevent merging in their current state. Specifically, the comment_issue.yml workflow is vulnerable to script injection through the use of inline expressions in the github-script action. Additionally, there is a logic error where step-level environment variables are used in the same step's if condition, which will cause those steps to be skipped. Runtime safety is also a concern regarding regex processing on issue titles. Codacy results are up to standards, but the functional and security risks identified here are significant.
About this PR
- The Jira ticket information is missing from the PR description, which complicates linking these security changes to internal tracking items.
Test suggestions
- Verify 'actions/github-script' is pinned to SHA '6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45' in all occurrences.
- Verify 'atlassian/gajira-login' is pinned to SHA '90a599561baaf8c05b080645ed73db7391c246ed' in all occurrences.
- Verify 'atlassian/gajira-create' is pinned to SHA 'c0a9c69ac9d6aa063fed57201e55336ada860183' in all occurrences.
- Verify 'atlassian/gajira-comment' is pinned to SHA '8ec356b5df49f1325653db7ee2da2b59a1d78203' in all occurrences.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'actions/github-script' is pinned to SHA '6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45' in all occurrences.
2. Verify 'atlassian/gajira-login' is pinned to SHA '90a599561baaf8c05b080645ed73db7391c246ed' in all occurrences.
3. Verify 'atlassian/gajira-create' is pinned to SHA 'c0a9c69ac9d6aa063fed57201e55336ada860183' in all occurrences.
4. Verify 'atlassian/gajira-comment' is pinned to SHA '8ec356b5df49f1325653db7ee2da2b59a1d78203' in all occurrences.
Low confidence findings
- There is no verification included to confirm that the new SHAs correspond to the expected version tags. It is recommended to validate these SHAs against the official action repositories.
🗒️ Improve review quality by adding custom instructions
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: login | ||
| uses: atlassian/gajira-login@v2.0.0 | ||
| uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The if condition relies on env.GITHUB_ISSUE_TYPE and env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL, but these are defined in the step's local env block. Because step-level environment variables are not evaluated until after the if check, this condition will always evaluate to false. Use step outputs directly, e.g., steps.github_issue_type.outputs.result == 'issue'.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_has_jira_issue_label | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The labels are injected directly into the script using expression expansion, which is vulnerable to script injection. Use environment variables for all untrusted data. In the 'Check if GitHub Issue has JIRA_ISSUE_LABEL' step, pass github.event.issue.labels as an environment variable and access it using process.env inside the script.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The script uses inline expression expansion (${{ toJson(...) }}) to pass data from the GitHub context. This is a security vulnerability that allows arbitrary code execution if the injected data contains malicious content. Pass the data as an environment variable and access it via process.env within the script. Refactor the 'Check GitHub Issue type' step to pass github.event.issue.pull_request as an environment variable.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: extract_jira_number | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The script attempts to access index [1] of the regex match result without checking if a match was found. This will cause a TypeError if the issue title does not match the expected Jira ticket pattern. Modify the script in the 'Extract Jira number' step to safely handle null matches.
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.