Skip to content

Security: pin GitHub Actions to SHA hashes#18

Merged
afsmeira merged 1 commit into
masterfrom
security/pin-actions-to-sha
Apr 17, 2026
Merged

Security: pin GitHub Actions to SHA hashes#18
afsmeira merged 1 commit into
masterfrom
security/pin-actions-to-sha

Conversation

@jorgebraz

Copy link
Copy Markdown
Contributor

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While this PR correctly identifies the need to pin GitHub Actions to SHA hashes for security, the current implementation contains several critical issues that should prevent merging in its current state.

Key concerns include:

  • Breaking API Changes: The pinned SHA 6e5ee1dc... corresponds to actions/github-script@v6.0.0, but the workflow code uses v2.0.0 syntax. This will cause scripts to fail as the Octokit library was moved under github.rest in newer versions.
  • Security Vulnerabilities: Direct expression interpolation (${{ toJson(...) }}) is used inside script blocks, which introduces a high risk of script injection from user-controlled issue data.
  • Logic Errors: Conditions in comment_issue.yml attempt to evaluate environment variables before they are set or in steps where they do not persist, which will result in incorrect workflow execution.
  • Metadata Inconsistency: All workflows contain comments labeling the actions as v2.0.0 while the hashes point to v6.0.0.

About this PR

  • There is a systemic version mismatch across all modified workflows. The SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 is being used for actions/github-script, which is version 6.0.0. However, the comments and the code syntax throughout the PR assume version 2.0.0. This needs to be synchronized to prevent runtime failures.

Test suggestions

  • Verify 'Comment issue on Jira' workflow execution successfully with pinned SHA hashes
  • Verify 'Create issue on Jira' workflow execution successfully with pinned SHA hashes
  • Verify 'Create issue on Jira when labeled' workflow execution successfully with pinned SHA hashes
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'Comment issue on Jira' workflow execution successfully with pinned SHA hashes
2. Verify 'Create issue on Jira' workflow execution successfully with pinned SHA hashes
3. Verify 'Create issue on Jira when labeled' workflow execution successfully with pinned SHA hashes

🗒️ Improve review quality by adding custom instructions

- name: Change Title
if: github.event.label.name == env.JIRA_ISSUE_LABEL
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

Incompatible version: The SHA 6e5ee1dc... (v6.0.0) will cause this script to fail because it expects v2.0.0 syntax (e.g., github.issues.update vs github.rest.issues.update). Please align the SHA with the code or update the code and comment to reflect v6.

- name: Update GitHub issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

The pinned SHA 6e5ee1dc... points to v6.0.0, which is incompatible with the v2.0.0 syntax used in this script. The Octokit API moved github.issues to github.rest.issues in version 6. Either revert the SHA to v2.0.0 (14495e4e...) or update the script syntax and the version comment.

if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

The if condition here will fail because env.GITHUB_ISSUE_TYPE is evaluated before the step's environment variables are set. Additionally, step-level env variables do not persist to subsequent steps (lines 68 and 83). Use step outputs (steps.<id>.outputs.result) instead of the env context for these conditions.

if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_type
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

This step has two major issues. First, it is vulnerable to script injection because it uses direct expression interpolation with ${{ toJson(...) }}. Pass this data via the env context and access it through process.env. Second, the SHA corresponds to v6.0.0 but the comment says v2.0.0. If you intend to use v6.0.0, the script logic must be updated to be compatible with the newer Octokit API (e.g., using github.rest).

if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
id: create_jira_issue
uses: atlassian/gajira-create@v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

The summary field interpolates the issue title directly into a YAML string. If a title contains double quotes, it will cause a YAML parsing error. Pass the title via an environment variable to ensure safety.

@afsmeira afsmeira merged commit a5f928b into master Apr 17, 2026
3 of 4 checks passed
@afsmeira afsmeira deleted the security/pin-actions-to-sha branch April 17, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants