Security: pin GitHub Actions to SHA hashes by jorgebraz · Pull Request #551 · codacy/codacy-analysis-cli

jorgebraz · 2026-03-24T17:18:22Z

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0

codacy-production · 2026-03-24T17:20:19Z

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage

Metric Results

Coverage variation Report missing for bcf871d¹

Diff coverage ✅ ∅ diff coverage (50.00%)

View coverage diff in Codacy

Coverage variation details

Coverable lines Covered lines Coverage

Common ancestor commit (bcf871d) Report Missing Report Missing Report Missing

Head commit (6c2cd0a) 1285 1047 81.48%

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

Coverable lines Covered lines Diff coverage

Pull request (#551) 0 0 ∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

¹ Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

codacy-production

Pull Request Overview

While this PR aligns with security best practices for supply chain hardening, it currently contains critical logic errors that will break the CI/CD pipeline. All instances of actions/github-script@v2.0.0 use an invalid SHA hash that does not exist in the source repository.

Furthermore, although Codacy analysis is 'up to standards', the manual verification of acceptance criteria reveals that several Atlassian-related actions still require verification for correct pinning. These issues must be addressed before merging to prevent breaking existing workflows.

About this PR

To ensure that GitHub Actions remain pinned to SHA hashes in the future, consider adding an automated validation tool such as actionlint to the repository. Without automated enforcement, mutable tags may be reintroduced in future contributions.

Test suggestions

Verify 'actions/github-script' is pinned to a SHA in all workflows
Verify 'atlassian/gajira-login' is pinned to a SHA in all workflows
Verify 'atlassian/gajira-comment' is pinned to a SHA
Verify 'atlassian/gajira-create' is pinned to a SHA in all workflows

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify 'actions/github-script' is pinned to a SHA in all workflows
2. Verify 'atlassian/gajira-login' is pinned to a SHA in all workflows
3. Verify 'atlassian/gajira-comment' is pinned to a SHA
4. Verify 'atlassian/gajira-create' is pinned to a SHA in all workflows

🗒️ Improve review quality by adding custom instructions

codacy-production · 2026-03-24T17:30:17Z

.github/workflows/create_issue_on_label.yml

      - name: Add comment after sync
        if: github.event.label.name == env.JIRA_ISSUE_LABEL
-        uses: actions/github-script@v2.0.0
+        uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
