Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage · +0.00% coverage variation

Metric	Results
Coverage variation	✅ +0.00% coverage variation
Diff coverage	✅ ∅ diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (3075123)	Report Missing	Report Missing	Report Missing
Head commit (f9097c5)	6629 (+0)	1532 (+0)	23.11% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#192)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

¹ Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

Although Codacy analysis reports the PR is up to standards, there is a critical logic error that will break the release workflow. The SHA hash provided for actions/setup-node is incorrect, belonging to the actions/setup-python repository. Furthermore, none of the required actions appear to have been correctly pinned with the mandatory version comments, leaving the security requirements for this PR largely unfulfilled.

Test suggestions

• Verify 'actions/checkout' is pinned to a commit SHA and includes a version comment.
• Verify 'actions/setup-node' is pinned to a commit SHA and includes a version comment.
• Verify 'HaaLeo/publish-vscode-extension' is pinned to a commit SHA and includes a version comment.
• Verify 'ncipollo/release-action' is pinned to a commit SHA and includes a version comment.
• Verify 'slackapi/slack-github-action' is pinned to a commit SHA and includes a version comment.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify 'actions/checkout' is pinned to a commit SHA and includes a version comment.
2. Verify 'actions/setup-node' is pinned to a commit SHA and includes a version comment.
3. Verify 'HaaLeo/publish-vscode-extension' is pinned to a commit SHA and includes a version comment.
4. Verify 'ncipollo/release-action' is pinned to a commit SHA and includes a version comment.
5. Verify 'slackapi/slack-github-action' is pinned to a commit SHA and includes a version comment.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The SHA 3235b876344d2a9aa001b8d1453c930bba69e610 belongs to the actions/setup-python repository, not actions/setup-node. This will cause the workflow to fail. Use the correct SHA for actions/setup-node@v3.8.2 instead.

Suggested change

	uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3
	uses: actions/setup-node@64ed570e647c51e000939a0658227bccb3561bd2 # v3

[inesgomas]

is this comment accurate @jorgebraz ?