Security: pin GitHub Actions to SHA hashes#57
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While Codacy reports the PR is 'up to standards', the review identified that the primary requirement—pinning all GitHub Actions to 40-character SHA hashes—appears to be unaddressed or incomplete across several workflows. Specifically, verification for pinning actions in comment_issue.yml, create_issue.yml, and create_issue_on_label.yml failed the intent analysis. Furthermore, the comment_issue.yml file contains a medium-severity security risk regarding script injection and a potential runtime error in the issue extraction logic. These findings indicate the PR does not yet meet the security hardening goals described in the title.
About this PR
- The primary goal of this PR is to pin GitHub Actions to SHA hashes to prevent supply chain attacks. However, the intent analysis suggests that several 'uses' declarations for actions like
actions/github-script,atlassian/gajira-login, and others are still missing their commit SHAs. Please ensure all actions are updated to use 40-character hashes.
Test suggestions
- Verify pinning of actions/github-script to SHA in comment_issue.yml, create_issue.yml, and create_issue_on_label.yml
- Verify pinning of atlassian/gajira-login to SHA in all workflow files
- Verify pinning of atlassian/gajira-create to SHA in create_issue.yml and create_issue_on_label.yml
- Verify pinning of atlassian/gajira-comment to SHA in comment_issue.yml
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify pinning of actions/github-script to SHA in comment_issue.yml, create_issue.yml, and create_issue_on_label.yml
2. Verify pinning of atlassian/gajira-login to SHA in all workflow files
3. Verify pinning of atlassian/gajira-create to SHA in create_issue.yml and create_issue_on_label.yml
4. Verify pinning of atlassian/gajira-comment to SHA in comment_issue.yml
🗒️ Improve review quality by adding custom instructions
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: extract_jira_number | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The script lacks error handling for the regex match. If the Jira project key is not found in the issue title, match() returns null, and attempting to access index [1] will throw a TypeError, crashing the workflow. Try running the following prompt in your coding agent: > In .github/workflows/comment_issue.yml at the 'Extract Jira number' step, update the script to safely handle cases where the Jira project key is not found in the issue title, avoiding a TypeError.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Directly interpolating GitHub context into the script block is a security risk. It is safer to pass the context via environment variables and access them through process.env in the script. Try running the following prompt in your coding agent: > Update the actions/github-script steps in .github/workflows/comment_issue.yml to pass github.event.issue data via env variables instead of direct template interpolation in the script string.
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.