Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

Although this PR successfully addresses the security goal of pinning GitHub Actions to immutable SHAs, it contains critical logic flaws and security risks in the modified workflows—particularly in .github/workflows/comment_issue.yml. Multiple steps rely on environment variables in if conditions that are not available in the job context, which will cause these steps to be skipped. Additionally, the use of expression interpolation in github-script poses a script injection risk. These issues must be resolved before merging to ensure the workflows remain functional.

About this PR

• The PR lacks evidence (such as workflow run logs) confirming that the specific commit SHAs used are verified and functional. Additionally, the description contains a reference to 'March 2026', which appears to be a typo that should be corrected for accuracy.

Test suggestions

• Verify that the 'Comment issue on Jira' workflow still executes correctly with pinned SHAs for github-script, gajira-login, and gajira-comment.
• Verify that the 'Create issue on Jira' workflow still executes correctly with pinned SHAs for gajira-login, gajira-create, and github-script.
• Verify that the 'Create issue on Jira when labeled' workflow still executes correctly with pinned SHAs for gajira-login, gajira-create, and github-script.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the 'Comment issue on Jira' workflow still executes correctly with pinned SHAs for github-script, gajira-login, and gajira-comment.
2. Verify that the 'Create issue on Jira' workflow still executes correctly with pinned SHAs for gajira-login, gajira-create, and github-script.
3. Verify that the 'Create issue on Jira when labeled' workflow still executes correctly with pinned SHAs for gajira-login, gajira-create, and github-script.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The if conditions on line 59 (and similarly at lines 50, 57, 68, and 83) rely on environment variables like env.GITHUB_ISSUE_TYPE which are not available to the job-level if context. These variables are step-local and evaluated after the if condition. This will cause the steps to be skipped.

Update the conditions to use step outputs instead:

In .github/workflows/comment_issue.yml, update the if conditions for all steps to use step outputs (e.g., steps.github_issue_type.outputs.result) instead of env variables.

[codacy-production]

_{🟡 MEDIUM RISK}

The script blocks at lines 26 and 42 use ${{ toJson(...) }} to interpolate GitHub event data directly into JavaScript. This is a security anti-pattern and a potential script injection vector.

Refactor the steps to pass github.event.issue data as environment variables, then access them via process.env within the script block.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: The script at lines 77-79 will throw a TypeError if the issue title does not match the expected Jira project regex, as it attempts to access index [1] of a null result. Update the 'Extract Jira number' script to safely handle cases where the regex match fails.