You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR is currently not up to standards due to a combination of incomplete implementation and significant security risks. While the objective is to pin actions to SHA hashes, the 'ahmadnassri/action-dependabot-auto-merge@v2' action was overlooked. Furthermore, multiple files (comment_issue.yml, create_issue.yml, create_issue_on_label.yml) use SHA hashes for actions/github-script v3.0.0 while labeling them as v2.0.0, which may introduce breaking changes. Most critically, .github/workflows/auto-merge.yml contains a high-risk security vulnerability involving pull_request_target and an unsafe checkout of untrusted code, which should be addressed alongside the SHA pinning.
About this PR
The action 'ahmadnassri/action-dependabot-auto-merge@v2' in '.github/workflows/auto-merge.yml' was not updated to a SHA hash. This omission leaves the workflow vulnerable to supply chain attacks, which contradicts the stated security goal of this PR.
Across several files, the SHA hashes used for 'actions/github-script' correspond to version v3.0.0, but the accompanying comments refer to v2.0.0. This inconsistency should be resolved by either using the v2.0.0 SHA or updating the version labels to v3.0.0 after verifying compatibility.
Test suggestions
Ensure all actions in .github/workflows/auto-merge.yml are pinned to immutable SHAs.
Ensure all actions in .github/workflows/comment_issue.yml are pinned to immutable SHAs.
Ensure all actions in .github/workflows/create_issue.yml are pinned to immutable SHAs.
Ensure all actions in .github/workflows/create_issue_on_label.yml are pinned to immutable SHAs.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Ensure all actions in .github/workflows/auto-merge.yml are pinned to immutable SHAs.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
This workflow uses pull_request_target and checks out the pull request's head code via ref: ${{ github.event.pull_request.head.sha }}. This allows potentially untrusted code from the pull request to run with access to repository secrets. Even with the check for dependabot[bot], this pattern is discouraged. For dependabot auto-merging, consider using the pull_request event or avoiding the checkout of the head ref in a privileged context.
Try running the following prompt in your IDE agent:
In .github/workflows/auto-merge.yml, evaluate if the pull_request_target trigger can be replaced with pull_request and if the ref parameter for actions/checkout can be removed to ensure the workflow runs in a restricted context.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 corresponds to v3.0.0, which contradicts the v2.0.0 label. Use the correct SHA for v2.0.0 to maintain consistency.
Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).
Actions left as tags: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.