Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

The changes are technically up to Codacy standards, but the review identified critical security and logic flaws that must be addressed before merging.

Specifically, the use of actions/github-script contains a command injection vulnerability due to direct interpolation of event data. Furthermore, the version being pinned (v2) uses a deprecated Node 12 runtime that will lead to workflow failures. A significant logic error was also found in comment_issue.yml where environment variable scoping will cause a key workflow step to be skipped. Finally, inconsistencies between SHA hashes and version comments were detected across several files.

About this PR

• The PR lacks automated validation to ensure the provided SHAs are correct or that the workflows remain functional after pinning. This risk is evidenced by the discovered version mismatch in the script pinning, where SHAs do not align with the version labels in comments.

Test suggestions

• Verify that 'actions/github-script' across all workflow files is pinned to a valid SHA hash.
• Verify that Atlassian Gajira actions (login, create, comment) are pinned to valid SHA hashes.
• Dry-run or execute the workflows to ensure the pinned SHA hashes are accessible and valid.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that 'actions/github-script' across all workflow files is pinned to a valid SHA hash.
2. Verify that Atlassian Gajira actions (login, create, comment) are pinned to valid SHA hashes.
3. Dry-run or execute the workflows to ensure the pinned SHA hashes are accessible and valid.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The if condition at line 57 uses env.GITHUB_ISSUE_TYPE and env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL. However, environment variables defined within a step's env block are only available to the action execution, not to the if condition. This step will always be skipped. Use step outputs instead: steps.github_issue_type.outputs.result == 'issue' && steps.github_issue_has_jira_issue_label.outputs.result == 'true'.

[codacy-production]

_{🔴 HIGH RISK}

There are multiple issues at this location:

1. Security: Directly interpolating ${{ toJson(...) }} into the script block allows for arbitrary code execution if malicious input is provided in label names. Pass data via process.env instead.
2. Deprecation: actions/github-script@v2 uses Node 12, which has been removed from GitHub runners; this workflow will likely fail.
3. Inconsistency: The pinned SHA 6e5ee1dc... corresponds to v3.1.0, but the comment indicates # v2.0.0.

Recommendation: Update to v7 (SHA 6010d130245155873297aa385d2a44da1ef0daed) and refactor to pass context data via environment variables.

[codacy-production]

_{🟡 MEDIUM RISK}

The script at line 79 calls .match(jiraTaskRegex)[1] without verifying that a match was found. If the issue title does not contain the expected Jira ticket pattern, match() will return null and the workflow will crash. Add a check for the existence of the match before accessing the index.