Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

This review identifies critical security risks and implementation gaps. Specifically, the workflows contain script injection vulnerabilities where GitHub expressions are interpolated directly into JavaScript, which should be refactored to use environment variables. Furthermore, while the PR intends to pin actions to SHAs, the implementation appears incomplete across the specified workflows. There is also a maintenance concern regarding the use of the deprecated Node 12 runtime for several actions, which will eventually lead to workflow failures. These issues should be addressed to ensure the security and longevity of the CI/CD pipeline.

About this PR

• The primary objective of pinning all GitHub Actions to immutable SHA hashes appears to be missing or incomplete for the targeted workflow files (.github/workflows/comment_issue.yml, .github/workflows/create_issue.yml, and .github/workflows/create_issue_on_label.yml).
• A recurring security pattern was identified: several workflows are directly interpolating GitHub expressions into JavaScript strings. This creates a risk of code injection. Please ensure all workflow scripts access dynamic data through the env block and process.env rather than direct interpolation.

Test suggestions

• Verify all actions in .github/workflows/comment_issue.yml are pinned to SHAs
• Verify all actions in .github/workflows/create_issue.yml are pinned to SHAs
• Verify all actions in .github/workflows/create_issue_on_label.yml are pinned to SHAs

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify all actions in .github/workflows/comment_issue.yml are pinned to SHAs
2. Verify all actions in .github/workflows/create_issue.yml are pinned to SHAs
3. Verify all actions in .github/workflows/create_issue_on_label.yml are pinned to SHAs

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🟡 MEDIUM RISK}

This step directly interpolates variables into the script, creating a potential injection vulnerability. Move ${{ steps.create_jira_issue.outputs.issue }} and ${{ secrets.JIRA_BASE_URL }} to the step's env block and access them via process.env in the script.

Try running the following prompt in your coding agent:

In .github/workflows/create_issue_on_label.yml, refactor the 'Add comment after sync' step to pass steps.create_jira_issue.outputs.issue and secrets.JIRA_BASE_URL via the env block, then update the script to access them using process.env.

[codacy-production]

_{🟡 MEDIUM RISK}

The script in this step directly interpolates ${{ steps.create_jira_issue.outputs.issue }} and ${{ secrets.JIRA_BASE_URL }} into the code. This is a security risk. These values should be passed via the env block and accessed using process.env in the script.

Try running the following prompt in your coding agent:

In .github/workflows/create_issue.yml, refactor the 'Add comment after sync' step to pass steps.create_jira_issue.outputs.issue and secrets.JIRA_BASE_URL via the env block, then update the script to access them using process.env.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: These actions are pinned to versions that run on Node 12, which is deprecated and scheduled for removal from GitHub Actions runners. To ensure long-term maintenance and security, consider upgrading to the latest major versions (e.g., actions/github-script@v7, atlassian/gajira-login@v3) while pinning to their respective SHAs.