Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR correctly aims to harden the project's security posture by pinning GitHub Actions to immutable SHA-1 hashes, it currently contains a critical implementation error. Every instance of actions/github-script has been updated to a SHA hash corresponding to version v6.3.3, despite being labeled as v2.0.0 in the comments.

This major version jump (from v2 to v6) introduces breaking changes to the internal Octokit client used by these scripts, which will result in runtime failures for all three workflows. Additionally, the PR description contains a chronological error (referencing 'March 2026'). Although the PR meets Codacy quality standards, it cannot be merged until the SHA hashes are corrected to match the intended v2.0.0 versions to preserve script compatibility.

About this PR

• There are no verification logs or test evidence provided to confirm that the selected SHA hashes correspond to the correct action versions or that the workflows remain operational after pinning.
• The PR description references an incident from 'March 2026', which appears to be a placeholder error or hallucination in the generated text.

Test suggestions

• Verify that the 'Comment issue on Jira' workflow executes correctly with pinned SHAs.
• Verify that the 'Create issue on Jira' workflow executes correctly with pinned SHAs.
• Verify that the 'Create issue on Jira when labeled' workflow executes correctly with pinned SHAs.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the 'Comment issue on Jira' workflow executes correctly with pinned SHAs.
2. Verify that the 'Create issue on Jira' workflow executes correctly with pinned SHAs.
3. Verify that the 'Create issue on Jira when labeled' workflow executes correctly with pinned SHAs.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 points to v6.3.3, but the comment specifies v2.0.0. To correctly pin the intended version without introducing breaking changes, use the SHA for v2.0.0 instead.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0d45304a9e525a74e64f72856f642674e892c9f5 # v2.0.0

[codacy-production]

_{🔴 HIGH RISK}

The SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 points to v6.3.3, but the comment specifies v2.0.0. To correctly pin the intended version without introducing breaking changes, use the SHA for v2.0.0 instead.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0d45304a9e525a74e64f72856f642674e892c9f5 # v2.0.0

[codacy-production]

_{🔴 HIGH RISK}

The SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 points to v6.3.3, but the comment specifies v2.0.0. To correctly pin the intended version without introducing breaking changes, use the SHA for v2.0.0 instead.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0d45304a9e525a74e64f72856f642674e892c9f5 # v2.0.0

[afsmeira]

I'll bypass the failing checks since they're unrelated to this PR.