Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While the transition to SHA pinning is complete and Codacy reports the PR as up to standards, critical logic and security flaws exist in the modified workflow scripts. The absence of 'await' on asynchronous Octokit calls across all files will likely result in race conditions and silent failures. Furthermore, a potential expression injection vulnerability in 'comment_issue.yml' poses a security risk. Additionally, the acceptance criteria for verifying SHA-to-tag correspondence and functional workflow execution remain unverified in the current state. These defects should be resolved before approval.

About this PR

• The Jira ticket metadata is completely empty, limiting traceability. Additionally, the PR description contains a reference to a 'March 2026' security incident, which appears to be a placeholder or date error.

Test suggestions

• Verify that the workflows remain functional and execute correctly with SHA-pinned actions.
• Verify that the provided SHAs correspond to the tagged versions mentioned in the comments (v2.0.0, v2.0.1, v2.0.2).

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the workflows remain functional and execute correctly with SHA-pinned actions.
2. Verify that the provided SHAs correspond to the tagged versions mentioned in the comments (v2.0.0, v2.0.1, v2.0.2).

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

Ensure the 'github.issues.createComment' call is awaited so that the sync confirmation comment is reliably created.

Try running the following prompt in your coding agent:

In '.github/workflows/create_issue_on_label.yml', update the 'Add comment after sync' step to await the 'github.issues.createComment' call.

[codacy-production]

_{🔴 HIGH RISK}

The call to 'github.issues.update' should be awaited to ensure the issue title is correctly modified before the runner moves to the next step.

Try running the following prompt in your coding agent:

In '.github/workflows/create_issue_on_label.yml', update the 'Change Title' step to await the 'github.issues.update' call.

[codacy-production]

_{🔴 HIGH RISK}

The 'github.issues.createComment' call is asynchronous and should be awaited to ensure the confirmation comment is reliably posted to the issue.

Try running the following prompt in your coding agent:

In '.github/workflows/create_issue.yml', update the 'Add comment after sync' step to await the 'github.issues.createComment' call.

[codacy-production]

_{🔴 HIGH RISK}

The 'github.issues.update' and 'github.issues.addLabels' methods are asynchronous and return Promises. They must be prefixed with 'await' to ensure the GitHub issue is updated before the workflow step completes.

Try running the following prompt in your coding agent:

In '.github/workflows/create_issue.yml', update the 'Update GitHub issue' step to await the 'github.issues.update' and 'github.issues.addLabels' calls.

[codacy-production]

_{🟡 MEDIUM RISK}

The regex match in the 'script' block may return 'null' if the issue title doesn't follow the expected '[PROJECT-KEY]' format. Accessing index '[1]' on a null result will cause the workflow to fail with a 'TypeError'. Consider adding a check for the match result before accessing its capture groups.

Try running the following prompt in your coding agent:

Update the script in '.github/workflows/comment_issue.yml' to safely handle cases where the Jira issue key is not found in the title by checking the match result before accessing index 1.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: While pinning actions to commit SHAs is a security best practice, this script block remains vulnerable to expression injection. Directly interpolating context variables like '${{ toJson(github.event.issue.pull_request) }}' into the 'script' can allow malicious input to escape the data context and execute arbitrary code. It is safer to pass context data via environment variables and parse it within the script as JSON.

Try running the following prompt in your IDE agent:

Refactor the 'actions/github-script' steps in '.github/workflows/comment_issue.yml' to pass 'github.event.issue' data (like 'pull_request' and 'labels') via environment variables instead of direct interpolation in the 'script' block, following the secure pattern used in other workflows in this repository.