Security: pin GitHub Actions to SHA hashes#11
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
Although Codacy analysis indicates the PR is up to standards, this review has surfaced several critical blockers. The primary objective—pinning actions to specific immutable SHAs—has gaps, as the required hashes for 'actions/github-script' and Atlassian actions were not found.
More importantly, significant security vulnerabilities were found in '.github/workflows/comment_issue.yml' related to script injection and shell interpolation. Additionally, a logic error in environment variable scoping within the same file will cause 'if' conditions to fail incorrectly, effectively breaking the workflow's conditional logic. These issues must be resolved before this PR can be safely merged.
About this PR
- The PR does not appear to fulfill the requirement for pinning specific actions to the mandated SHA hashes (e.g., actions/github-script to 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45). Please verify that all 'uses' directives have been updated according to the security specification.
2 comments outside of the diff
.github/workflows/comment_issue.yml
line 79🟡 MEDIUM RISK
Suggestion: The regex match assumes the Jira issue key is always present in the title. If the match fails, this step will crash with a TypeError. Handling the null case makes the workflow more robust to non-standard issue titles.const match = process.env.GITHUB_TITLE.match(jiraTaskRegex); return match ? match[1] : '';
.github/workflows/create_issue.yml
line 51⚪ LOW RISK
Suggestion: Using interpolation directly inside a shell command is risky. If the secret contains single quotes or other shell-metacharacters, it will break the command. It is safer to use the environment variable directly within the shell string.Try running the following prompt in your IDE agent:
In
.github/workflows/create_issue.ymland.github/workflows/create_issue_on_label.yml, refactor the curl command to use the shell environment variable "$JIRA_UPDATE_ISSUE_BODY" instead of using GitHub Action interpolation ${{ env.JIRA_UPDATE_ISSUE_BODY }} inside the run string to prevent shell injection or breakage.
Test suggestions
- Verify that 'actions/github-script' in all workflows is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
- Verify that 'atlassian/gajira-login' in all workflows is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
- Verify that 'atlassian/gajira-create' in all workflows is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183
- Verify that 'atlassian/gajira-comment' in all workflows is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that 'actions/github-script' in all workflows is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
2. Verify that 'atlassian/gajira-login' in all workflows is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
3. Verify that 'atlassian/gajira-create' in all workflows is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183
4. Verify that 'atlassian/gajira-comment' in all workflows is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203
🗒️ Improve review quality by adding custom instructions
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: login | ||
| uses: atlassian/gajira-login@v2.0.0 | ||
| uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The if condition on line 57 (and following steps) will never evaluate to true because it references env.GITHUB_ISSUE_TYPE, which is not available in the evaluation context. Step-scoped variables are not shared across steps. Try running the following prompt in your coding agent: > Fix the environment variable scoping in .github/workflows/comment_issue.yml by replacing env.VARIABLE_NAME in if conditions with steps.<step_id>.outputs.result or move the variables to the job-level environment.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
This script is vulnerable to script injection via direct expression interpolation. It is safer to pass dynamic data via environment variables. Also, consider upgrading to a supported version (v7) as v2 uses a deprecated Node.js 12 runtime that is being phased out. Try running the following prompt in your coding agent: > Refactor the github-script steps in .github/workflows/comment_issue.yml to pass all dynamic context data via environment variables using the env block and process.env, and upgrade the version to v7.
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.