Skip to content

Security: pin GitHub Actions to SHA hashes#34

Merged
afsmeira merged 1 commit into
masterfrom
security/pin-actions-to-sha
Apr 17, 2026
Merged

Security: pin GitHub Actions to SHA hashes#34
afsmeira merged 1 commit into
masterfrom
security/pin-actions-to-sha

Conversation

@jorgebraz

Copy link
Copy Markdown
Contributor

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While this PR is technically 'up to standards' according to Codacy, it contains critical functional blockers. The move to pin SHAs has inadvertently introduced a major version upgrade for actions/github-script (v2 to v6) that is incompatible with the current script syntax.

Additionally, there are pre-existing logic errors in workflow conditionals where environment variables are incorrectly scoped, and a security risk involving direct expression expansion within GitHub Actions scripts. These issues should be resolved before merging to ensure workflow stability and security.

About this PR

  • The upgrade of actions/github-script from v2 to v6 via SHA pinning is a major breaking change. Version 5+ moved API methods under the github.rest namespace. Existing scripts in this PR still use v2 syntax (e.g., github.issues.update), which will cause all workflows using this action to fail upon execution.

Test suggestions

  • Verify 'comment_issue.yml' workflow completes successfully using the pinned action SHAs.
  • Verify 'create_issue.yml' workflow completes successfully, specifically checking that the pinned 'github-script' version is compatible with the existing script logic.
  • Verify 'create_issue_on_label.yml' workflow completes successfully using the pinned action SHAs.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'comment_issue.yml' workflow completes successfully using the pinned action SHAs.
2. Verify 'create_issue.yml' workflow completes successfully, specifically checking that the pinned 'github-script' version is compatible with the existing script logic.
3. Verify 'create_issue_on_label.yml' workflow completes successfully using the pinned action SHAs.

🗒️ Improve review quality by adding custom instructions

- name: Update GitHub issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

This SHA upgrade to v6.x will break the script logic on line 65, which uses Octokit v2 syntax (github.issues.update). Either update the script to use github.rest.issues.update or revert the SHA to the correct v2.0.0 commit (536f901).

if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

The if condition logic is incorrect. Variables defined in a step's env block are not accessible to the if context of subsequent steps. Use step outputs instead, for example: steps.github_issue_type.outputs.result == 'issue'.

if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_type
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

Two issues identified here: 1) The SHA 6e5ee1dc... points to v6.3.3, which contradicts the v2.0.0 tag in the comment and introduces breaking API changes. 2) Expanding ${{ toJson(...) }} directly into the script block is a security risk. Use the context object (e.g., context.payload.issue) instead to handle data safely.

@afsmeira afsmeira merged commit b694d86 into master Apr 17, 2026
3 checks passed
@afsmeira afsmeira deleted the security/pin-actions-to-sha branch April 17, 2026 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants