Skip to content

Security: pin GitHub Actions to SHA hashes #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jorgebraz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security: pin GitHub Actions to SHA hashes #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/comment_issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Check GitHub Issue type
if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_type
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
Copy link
Copy Markdown

@codacy-production codacy-production bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Suggestion: The SHA points to v3.1.0, not v2.0.0. Update the comment to reflect the actual version being pinned.

Suggested change
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v3.1.0

with:
result-encoding: string
script: |
Expand All @@ -33,7 +33,7 @@ jobs:
- name: Check if GitHub Issue has JIRA_ISSUE_LABEL
if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_has_jira_issue_label
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_LABEL: ${{ secrets.JIRA_ISSUE_LABEL }}
with:
Expand All @@ -56,7 +56,7 @@ jobs:
- name: Jira Login
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
Copy link
Copy Markdown

@codacy-production codacy-production bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Suggestion: The SHA points to v3.0.0. Update the comment to match the version.

Suggested change
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v3.0.0

env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand All @@ -67,7 +67,7 @@ jobs:
- name: Extract Jira number
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: extract_jira_number
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand All @@ -82,7 +82,7 @@ jobs:
- name: Jira Add comment on issue
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: add_comment_jira_issue
uses: atlassian/gajira-comment@v2.0.2
uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v2.0.2
Copy link
Copy Markdown

@codacy-production codacy-production bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Suggestion: The SHA points to v3.0.1. Update the version comment accordingly.

Suggested change
uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v2.0.2
uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v3.0.1

env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/create_issue.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Jira Login
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
Expand All @@ -27,7 +27,7 @@ jobs:
- name: Jira Create issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
id: create_jira_issue
uses: atlassian/gajira-create@v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
Copy link
Copy Markdown

@codacy-production codacy-production bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Suggestion: The SHA points to v3.0.1. Update the comment to reflect the pinned version.

Suggested change
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v3.0.1

with:
project: ${{ secrets.JIRA_PROJECT }}
issuetype: ${{ secrets.JIRA_ISSUE_TYPE }}
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Update GitHub issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
Expand All @@ -78,7 +78,7 @@ jobs:

- name: Add comment after sync
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/create_issue_on_label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Jira Login
if: github.event.label.name == env.JIRA_ISSUE_LABEL
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
Expand All @@ -27,7 +27,7 @@ jobs:
- name: Jira Create issue
if: github.event.label.name == env.JIRA_ISSUE_LABEL
id: create_jira_issue
uses: atlassian/gajira-create@v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
with:
project: ${{ secrets.JIRA_PROJECT }}
issuetype: ${{ secrets.JIRA_ISSUE_TYPE }}
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Change Title
if: github.event.label.name == env.JIRA_ISSUE_LABEL
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
Expand All @@ -70,7 +70,7 @@ jobs:

- name: Add comment after sync
if: github.event.label.name == env.JIRA_ISSUE_LABEL
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
Expand Down