Security: pin GitHub Actions to SHA hashes#34
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull Request Overview
While this PR is technically 'up to standards' according to Codacy, it contains critical functional blockers. The move to pin SHAs has inadvertently introduced a major version upgrade for actions/github-script (v2 to v6) that is incompatible with the current script syntax.
Additionally, there are pre-existing logic errors in workflow conditionals where environment variables are incorrectly scoped, and a security risk involving direct expression expansion within GitHub Actions scripts. These issues should be resolved before merging to ensure workflow stability and security.
About this PR
- The upgrade of
actions/github-scriptfrom v2 to v6 via SHA pinning is a major breaking change. Version 5+ moved API methods under thegithub.restnamespace. Existing scripts in this PR still use v2 syntax (e.g.,github.issues.update), which will cause all workflows using this action to fail upon execution.
Test suggestions
- Verify 'comment_issue.yml' workflow completes successfully using the pinned action SHAs.
- Verify 'create_issue.yml' workflow completes successfully, specifically checking that the pinned 'github-script' version is compatible with the existing script logic.
- Verify 'create_issue_on_label.yml' workflow completes successfully using the pinned action SHAs.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'comment_issue.yml' workflow completes successfully using the pinned action SHAs.
2. Verify 'create_issue.yml' workflow completes successfully, specifically checking that the pinned 'github-script' version is compatible with the existing script logic.
3. Verify 'create_issue_on_label.yml' workflow completes successfully using the pinned action SHAs.
🗒️ Improve review quality by adding custom instructions
| - name: Update GitHub issue | ||
| if: env.JIRA_CREATE_ISSUE_AUTO == 'true' | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
This SHA upgrade to v6.x will break the script logic on line 65, which uses Octokit v2 syntax (github.issues.update). Either update the script to use github.rest.issues.update or revert the SHA to the correct v2.0.0 commit (536f901).
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: login | ||
| uses: atlassian/gajira-login@v2.0.0 | ||
| uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The if condition logic is incorrect. Variables defined in a step's env block are not accessible to the if context of subsequent steps. Use step outputs instead, for example: steps.github_issue_type.outputs.result == 'issue'.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
Two issues identified here: 1) The SHA 6e5ee1dc... points to v6.3.3, which contradicts the v2.0.0 tag in the comment and introduces breaking API changes. 2) Expanding ${{ toJson(...) }} directly into the script block is a security risk. Use the context object (e.g., context.payload.issue) instead to handle data safely.
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.