Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

The PR successfully implements security hardening by replacing mutable tags with commit SHAs across integration workflows. Codacy analysis indicates that the changes are up to standards. However, the review identified a recurring discrepancy between the pinned SHAs and their descriptive version comments. In multiple instances, the SHA corresponds to a v3.x release while the comment labels it as v2.x. These inconsistencies should be corrected before merging to ensure documentation accuracy and maintainability.

About this PR

• There is a systemic inconsistency where the commit SHAs point to newer versions (v3.x) of the GitHub Actions, but the trailing comments describe them as older versions (v2.x). This documentation gap violates the acceptance criteria for maintaining clear developer references.

Test suggestions

• Verify that 'actions/github-script' is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
• Verify that 'atlassian/gajira-login' is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
• Verify that 'atlassian/gajira-create' is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183
• Verify that 'atlassian/gajira-comment' is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that 'actions/github-script' is pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
2. Verify that 'atlassian/gajira-login' is pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
3. Verify that 'atlassian/gajira-create' is pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183
4. Verify that 'atlassian/gajira-comment' is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: The SHA points to v3.0.1. Update the comment to reflect the pinned version.

Suggested change

	uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
	uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v3.0.1

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: The SHA points to v3.0.1. Update the version comment accordingly.

Suggested change

	uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v2.0.2
	uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v3.0.1

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: The SHA points to v3.0.0. Update the comment to match the version.

Suggested change

	uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
	uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v3.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: The SHA points to v3.1.0, not v2.0.0. Update the comment to reflect the actual version being pinned.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v3.1.0