Security: pin GitHub Actions to SHA hashes#578
Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR attempts to improve security by pinning GitHub Actions to SHA hashes; however, the implementation is currently incomplete and maintains a high-risk security vulnerability. Codacy analysis indicates that the changes are not up to standards.
The most critical issues involve a security vulnerability in the auto-merge.yml workflow configuration and an accidental version downgrade of the actions/checkout action. Furthermore, the PR fails to meet its own objective as one action remains pinned to a mutable tag. These issues must be addressed to ensure the stability and security of the CI/CD pipeline.
About this PR
- There is no verification evidence or automated test run results provided to confirm that the chosen SHAs are correct and functional for this environment. Manual or CI verification of the workflows is necessary before merging.
Test suggestions
- Verify the 'auto-merge' workflow executes successfully with pinned actions.
- Verify the 'comment_issue' workflow executes successfully with pinned actions.
- Verify the 'create_issue' workflow executes successfully with pinned actions.
- Verify the 'create_issue_on_label' workflow executes successfully with pinned actions.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify the 'auto-merge' workflow executes successfully with pinned actions.
2. Verify the 'comment_issue' workflow executes successfully with pinned actions.
3. Verify the 'create_issue' workflow executes successfully with pinned actions.
4. Verify the 'create_issue_on_label' workflow executes successfully with pinned actions.
🗒️ Improve review quality by adding custom instructions
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
Multiple issues identified in .github/workflows/auto-merge.yml:
- Security Vulnerability: Using
pull_request_targetwhile checking out the PR's head SHA allows untrusted code to access repository secrets. It is recommended to use the standardpull_requesttrigger instead. - Version Downgrade: The SHA
ee0669bd1cc54295c223e0bb666b733df41de1c5pinsactions/checkouttov2.0.0. Since the original code used@v2, this introduces a downgrade from the latest v2 patches. Use2541b1294d2704b0964813337f33b291d3f8596b(v2.4.2) instead. - Missed Pin: The action
ahmadnassri/action-dependabot-auto-merge@v2(referenced later in the file) was not updated to a SHA hash, which contradicts the goal of this PR.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
5a8e268 to
121db32
Compare
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.