Security: pin GitHub Actions to SHA hashes by jorgebraz · Pull Request #87 · codacy/codacy-scalameta

jorgebraz · 2026-03-24T17:32:42Z

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0

codacy-production · 2026-03-24T17:38:21Z

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

codacy-production

Pull Request Overview

While this PR aligns with security best practices by pinning GitHub Actions to SHAs, there are several critical issues that should prevent merging in its current state. Specifically, there is a consistent mismatch where SHAs for actions/github-script version 3.0.0 are used while the comments indicate version 2.0.0. This could introduce breaking changes if the workflows are not compatible with the v3.0.0 environment.

Furthermore, a significant logic error was detected in the workflow execution conditions in comment_issue.yml. The 'if' conditions reference step-level environment variables which are not accessible within the 'if' block's scope, causing these steps to always be skipped. Finally, the PR lacks evidence of successful workflow execution logs to verify the validity of the provided SHAs.

About this PR

The PR lacks any verification or testing evidence (e.g., successful workflow run logs) to confirm that the provided SHAs are valid and do not break the integration.

Test suggestions

Verify that all GitHub Actions in .github/workflows/comment_issue.yml are pinned to commit SHAs.
Verify that all GitHub Actions in .github/workflows/create_issue.yml are pinned to commit SHAs.
Verify that all GitHub Actions in .github/workflows/create_issue_on_label.yml are pinned to commit SHAs.
Execute the workflows in a staging environment to ensure the specified SHAs are valid and function correctly.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that all GitHub Actions in .github/workflows/comment_issue.yml are pinned to commit SHAs.
2. Verify that all GitHub Actions in .github/workflows/create_issue.yml are pinned to commit SHAs.
3. Verify that all GitHub Actions in .github/workflows/create_issue_on_label.yml are pinned to commit SHAs.
4. Execute the workflows in a staging environment to ensure the specified SHAs are valid and function correctly.

Low confidence findings

There is no automated linting tool (like actionlint) added to the repository to enforce this pinning policy for future changes.

🗒️ Improve review quality by adding custom instructions

codacy-production · 2026-03-24T17:42:23Z

.github/workflows/comment_issue.yml

        if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
        id: login
-        uses: atlassian/gajira-login@v2.0.0
+        uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0


_{🔴 HIGH RISK}

This 'if' condition will always evaluate to false because it references step-level environment variables which are not available to the 'if' key. You should use step outputs directly (e.g., 'steps.github_issue_type.outputs.result') to ensure the workflow logic functions correctly.

codacy-production · 2026-03-24T17:42:23Z

.github/workflows/create_issue_on_label.yml

      - name: Add comment after sync
        if: github.event.label.name == env.JIRA_ISSUE_LABEL
-        uses: actions/github-script@v2.0.0
+        uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
