Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR correctly identifies the need to pin GitHub Actions to immutable SHAs for security, it introduces a critical bug and fails to address existing security risks within the workflows.

Specifically, a logic error in .github/workflows/comment_issue.yml will cause steps to be skipped because the if conditions attempt to access environment variables that are not yet in scope. Furthermore, although the PR is labeled for 'Security', multiple workflow files utilize unsafe ${{ }} interpolation within script blocks, which is a known vector for script injection. Finally, there is a discrepancy between the pinned SHA and the human-readable version comment in the comment workflow, which violates the maintainability requirements. These issues must be resolved before merging.

About this PR

• Across all modified workflows, there is a systemic use of direct interpolation (e.g., ${{ toJson(...) }}) inside script blocks. This is a security risk. To align with the security goals of this PR, these should be refactored to use the env context or the context object provided by the action.
• There is currently no automated validation to ensure that the 40-character commit SHAs provided actually correspond to the version tags declared in the comments. Manual verification revealed at least one mismatch (SHA for v3.1.0 labeled as v2.0.0).

Test suggestions

• Verify that all 'uses:' statements in modified YAML files utilize a 40-character SHA hash instead of a tag.
• Verify that human-readable version comments (e.g., # v2.0.0) are present for every pinned action.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that all 'uses:' statements in modified YAML files utilize a 40-character SHA hash instead of a tag.
2. Verify that human-readable version comments (e.g., # v2.0.0) are present for every pinned action.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The if condition on line 57 references env variables that are not yet in scope because they are defined in the step's own env block. This causes the step to skip unexpectedly. Use the steps context to access outputs from previous steps.

[codacy-production]

_{🟡 MEDIUM RISK}

The pinned SHA for actions/github-script is for v3.1.0, but the comment says v2.0.0. Both are deprecated as they use Node.js 12. Upgrade to v7.0.1 (SHA: 60a0d83039c74a4aee543508d2ffcb1c37996e00) for Node.js 20 support. Furthermore, the script uses ${{ toJson(...) }} interpolation; this is a security risk. Use the context object instead.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Avoid direct interpolation of context variables inside the script block to prevent injection vulnerabilities. Use the env context to pass variables into the script environment.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: To improve security and prevent potential script injection, avoid using interpolation directly inside the script block. Pass values via the env context and access them through process.env instead, following the pattern used in the 'Update GitHub issue' step.