Security: pin GitHub Actions to SHA hashes#829
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR hardens the repository's security posture by pinning GitHub Actions to immutable SHA hashes, protecting against potential supply chain attacks. While the implementation satisfies the primary objective, there is a critical version mismatch for the 'actions/github-script' action across all modified workflows. The commit SHA provided points to version 3.x, which contradicts the '# v2.0.0' comments. This should be corrected before merging to avoid potential breaking changes introduced in v3.x while the team expects v2.x behavior.
About this PR
- There is a recurring inconsistency between the commit SHAs and the version comments for 'actions/github-script'. Please ensure that the SHA hash used actually matches the version tag documented in the code comments to prevent unintended upgrades to major versions with breaking changes.
Test suggestions
- Verify 'actions/github-script' is pinned to SHA hash in all three workflow files.
- Verify 'atlassian/gajira-login' is pinned to SHA hash across all workflows.
- Verify 'atlassian/gajira-create' is pinned to SHA hash in create_issue workflows.
- Verify 'atlassian/gajira-comment' is pinned to SHA hash in comment_issue.yml.
🗒️ Improve review quality by adding custom instructions
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.