Security: pin GitHub Actions to SHA hashes#18
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly identifies the need to pin GitHub Actions to SHA hashes for security, the current implementation contains several critical issues that should prevent merging in its current state.
Key concerns include:
- Breaking API Changes: The pinned SHA
6e5ee1dc...corresponds toactions/github-script@v6.0.0, but the workflow code usesv2.0.0syntax. This will cause scripts to fail as the Octokit library was moved undergithub.restin newer versions. - Security Vulnerabilities: Direct expression interpolation (
${{ toJson(...) }}) is used inside script blocks, which introduces a high risk of script injection from user-controlled issue data. - Logic Errors: Conditions in
comment_issue.ymlattempt to evaluate environment variables before they are set or in steps where they do not persist, which will result in incorrect workflow execution. - Metadata Inconsistency: All workflows contain comments labeling the actions as
v2.0.0while the hashes point tov6.0.0.
About this PR
- There is a systemic version mismatch across all modified workflows. The SHA
6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45is being used foractions/github-script, which is version 6.0.0. However, the comments and the code syntax throughout the PR assume version 2.0.0. This needs to be synchronized to prevent runtime failures.
Test suggestions
- Verify 'Comment issue on Jira' workflow execution successfully with pinned SHA hashes
- Verify 'Create issue on Jira' workflow execution successfully with pinned SHA hashes
- Verify 'Create issue on Jira when labeled' workflow execution successfully with pinned SHA hashes
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'Comment issue on Jira' workflow execution successfully with pinned SHA hashes
2. Verify 'Create issue on Jira' workflow execution successfully with pinned SHA hashes
3. Verify 'Create issue on Jira when labeled' workflow execution successfully with pinned SHA hashes
🗒️ Improve review quality by adding custom instructions
| - name: Change Title | ||
| if: github.event.label.name == env.JIRA_ISSUE_LABEL | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
Incompatible version: The SHA 6e5ee1dc... (v6.0.0) will cause this script to fail because it expects v2.0.0 syntax (e.g., github.issues.update vs github.rest.issues.update). Please align the SHA with the code or update the code and comment to reflect v6.
| - name: Update GitHub issue | ||
| if: env.JIRA_CREATE_ISSUE_AUTO == 'true' | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The pinned SHA 6e5ee1dc... points to v6.0.0, which is incompatible with the v2.0.0 syntax used in this script. The Octokit API moved github.issues to github.rest.issues in version 6. Either revert the SHA to v2.0.0 (14495e4e...) or update the script syntax and the version comment.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: login | ||
| uses: atlassian/gajira-login@v2.0.0 | ||
| uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The if condition here will fail because env.GITHUB_ISSUE_TYPE is evaluated before the step's environment variables are set. Additionally, step-level env variables do not persist to subsequent steps (lines 68 and 83). Use step outputs (steps.<id>.outputs.result) instead of the env context for these conditions.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
This step has two major issues. First, it is vulnerable to script injection because it uses direct expression interpolation with ${{ toJson(...) }}. Pass this data via the env context and access it through process.env. Second, the SHA corresponds to v6.0.0 but the comment says v2.0.0. If you intend to use v6.0.0, the script logic must be updated to be compatible with the newer Octokit API (e.g., using github.rest).
| if: env.JIRA_CREATE_ISSUE_AUTO == 'true' | ||
| id: create_jira_issue | ||
| uses: atlassian/gajira-create@v2.0.1 | ||
| uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The summary field interpolates the issue title directly into a YAML string. If a title contains double quotes, it will cause a YAML parsing error. Pass the title via an environment variable to ensure safety.
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.