From 9d1f5fa1dbffd6a8ddf2cd5921f676155769cdf8 Mon Sep 17 00:00:00 2001 From: Codacy Security Bot Date: Tue, 24 Mar 2026 17:38:10 +0000 Subject: [PATCH] Security: pin GitHub Actions to SHA hashes Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0 --- .github/workflows/comment_issue.yml | 10 +++++----- .github/workflows/create_issue.yml | 8 ++++---- .github/workflows/create_issue_on_label.yml | 8 ++++---- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/comment_issue.yml b/.github/workflows/comment_issue.yml index 12fb218..4bf6a8e 100644 --- a/.github/workflows/comment_issue.yml +++ b/.github/workflows/comment_issue.yml @@ -18,7 +18,7 @@ jobs: - name: Check GitHub Issue type if: env.JIRA_CREATE_COMMENT_AUTO == 'true' id: github_issue_type - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 with: result-encoding: string script: | @@ -33,7 +33,7 @@ jobs: - name: Check if GitHub Issue has JIRA_ISSUE_LABEL if: env.JIRA_CREATE_COMMENT_AUTO == 'true' id: github_issue_has_jira_issue_label - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 env: JIRA_ISSUE_LABEL: ${{ secrets.JIRA_ISSUE_LABEL }} with: @@ -56,7 +56,7 @@ jobs: - name: Jira Login if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' id: login - uses: atlassian/gajira-login@v2.0.0 + uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 env: GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }} GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }} @@ -67,7 +67,7 @@ jobs: - name: Extract Jira number if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' id: extract_jira_number - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 env: GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }} GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }} @@ -82,7 +82,7 @@ jobs: - name: Jira Add comment on issue if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' id: add_comment_jira_issue - uses: atlassian/gajira-comment@v2.0.2 + uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v2.0.2 env: GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }} GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }} diff --git a/.github/workflows/create_issue.yml b/.github/workflows/create_issue.yml index 14c9f3b..8c5f7ef 100644 --- a/.github/workflows/create_issue.yml +++ b/.github/workflows/create_issue.yml @@ -18,7 +18,7 @@ jobs: - name: Jira Login if: env.JIRA_CREATE_ISSUE_AUTO == 'true' id: login - uses: atlassian/gajira-login@v2.0.0 + uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 env: JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} @@ -27,7 +27,7 @@ jobs: - name: Jira Create issue if: env.JIRA_CREATE_ISSUE_AUTO == 'true' id: create_jira_issue - uses: atlassian/gajira-create@v2.0.1 + uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1 with: project: ${{ secrets.JIRA_PROJECT }} issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} @@ -53,7 +53,7 @@ jobs: - name: Update GitHub issue if: env.JIRA_CREATE_ISSUE_AUTO == 'true' - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 env: JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }} GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }} @@ -78,7 +78,7 @@ jobs: - name: Add comment after sync if: env.JIRA_CREATE_ISSUE_AUTO == 'true' - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | diff --git a/.github/workflows/create_issue_on_label.yml b/.github/workflows/create_issue_on_label.yml index de4ab93..83c1454 100644 --- a/.github/workflows/create_issue_on_label.yml +++ b/.github/workflows/create_issue_on_label.yml @@ -18,7 +18,7 @@ jobs: - name: Jira Login if: github.event.label.name == env.JIRA_ISSUE_LABEL id: login - uses: atlassian/gajira-login@v2.0.0 + uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 env: JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} @@ -27,7 +27,7 @@ jobs: - name: Jira Create issue if: github.event.label.name == env.JIRA_ISSUE_LABEL id: create_jira_issue - uses: atlassian/gajira-create@v2.0.1 + uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1 with: project: ${{ secrets.JIRA_PROJECT }} issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} @@ -53,7 +53,7 @@ jobs: - name: Change Title if: github.event.label.name == env.JIRA_ISSUE_LABEL - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 env: JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }} GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }} @@ -70,7 +70,7 @@ jobs: - name: Add comment after sync if: github.event.label.name == env.JIRA_ISSUE_LABEL - uses: actions/github-script@v2.0.0 + uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 with: github-token: ${{secrets.GITHUB_TOKEN}} script: |