Conversation
Up to standards ✅
|
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
5687db3 to
ff9dbe6
Compare
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR successfully implements security pinning of GitHub Actions to immutable SHA hashes. However, several critical issues remain. First, the chosen versions (e.g., actions/checkout@v2) rely on the deprecated Node.js 12 runtime, which will eventually cause workflow failures. Second, the 'auto-merge.yml' workflow contains a high-risk security pattern by combining 'pull_request_target' with a code checkout of the PR head, which could lead to secret exposure. Although the PR is technically 'Up to Standards' according to Codacy, these structural risks should be resolved before merging.
Test suggestions
- Verify that actions/checkout in auto-merge.yml is pinned to SHA ee0669bd1cc54295c223e0bb666b733df41de1c5.
- Verify that Atlassian gajira actions in issue creation and comment workflows are pinned to their respective SHA hashes.
- Verify that all instances of actions/github-script are updated to the consistent SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that actions/checkout in auto-merge.yml is pinned to SHA ee0669bd1cc54295c223e0bb666b733df41de1c5.
2. Verify that Atlassian gajira actions in issue creation and comment workflows are pinned to their respective SHA hashes.
3. Verify that all instances of actions/github-script are updated to the consistent SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
🗒️ Improve review quality by adding custom instructions
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The version of actions/checkout being pinned (v2) uses a deprecated Node.js 12 runtime; upgrade to v4 to ensure compatibility with modern GitHub runners. Furthermore, using 'pull_request_target' in combination with checking out code from the incoming PR ('github.event.pull_request.head.sha') is a high-risk security pattern that can expose repository secrets. If the 'ahmadnassri/action-dependabot-auto-merge' action only performs API calls and does not require a local checkout, remove this step entirely.
Try running this prompt in your coding agent: > Upgrade all GitHub Actions to their latest stable major versions (v4 for checkout, v7 for github-script) while pinning to commit SHAs, and remove the checkout step in 'auto-merge.yml' if it is not required for the dependabot-auto-merge action.
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.