Skip to content

Security: pin GitHub Actions to SHA hashes#115

Merged
afsmeira merged 1 commit intomasterfrom
security/pin-actions-to-sha
Mar 25, 2026
Merged

Security: pin GitHub Actions to SHA hashes#115
afsmeira merged 1 commit intomasterfrom
security/pin-actions-to-sha

Conversation

@jorgebraz
Copy link
Copy Markdown
Contributor

@jorgebraz jorgebraz commented Mar 24, 2026

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Security: pin GitHub Actions to SHA hashes
9d1f5fa 
Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
@codacy-production
Copy link
Copy Markdown

codacy-production bot commented Mar 24, 2026

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

@codacy-production codacy-production bot left a comment
edited by ricardobernardino2024
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While this PR aims to improve repository security by pinning GitHub Actions to immutable SHA hashes, the current implementation fails to address the core requirements for several key dependencies. Additionally, critical logic bugs were introduced in the workflow files: one step uses out-of-scope environment variables which will cause it to be skipped incorrectly, and another step lacks basic null-checking on regex results, which will likely cause a workflow crash. Race conditions in asynchronous API calls were also identified. Although Codacy metrics are passing, these functional and alignment issues must be resolved before merging.

About this PR

  • The primary objective of this PR—pinning actions to SHA hashes—appears incomplete. Specifically, actions/github-script, atlassian/gajira-login, atlassian/gajira-comment, and atlassian/gajira-create still require pinning to their respective SHAs as per the project requirements.

Test suggestions

  • Verify actions/github-script@v2.0.0 is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
  • Verify atlassian/gajira-login@v2.0.0 is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
  • Verify atlassian/gajira-comment@v2.0.2 is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203
  • Verify atlassian/gajira-create@v2.0.1 is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify actions/github-script@v2.0.0 is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
2. Verify atlassian/gajira-login@v2.0.0 is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
3. Verify atlassian/gajira-comment@v2.0.2 is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203
4. Verify atlassian/gajira-create@v2.0.1 is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183

🗒️ Improve review quality by adding custom instructions

@afsmeira afsmeira merged commit e81d6fd into master Mar 25, 2026
4 of 5 checks passed
@jorgebraz jorgebraz deleted the security/pin-actions-to-sha branch March 26, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ricardobernardino2024 ricardobernardino2024 ricardobernardino2024 approved these changes

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jorgebraz @ricardobernardino2024 @afsmeira