Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly implements the move to SHA pinning for security, it introduces critical regressions and misses one action.
Most significantly, the pinning of actions/github-script in jira.yml to v4.0.2 will cause the workflow to fail, as the script utilizes the github.rest API introduced in v5. Additionally, multiple actions (checkout, setup-node) have been regressed to much older versions, which removes recent security and performance improvements. One action, Rebilly/lexi, was missed entirely. These issues should be resolved to maintain workflow functionality and security standards.
About this PR
- Consider adding an automated linting step (e.g., using
actionlint) to your CI/CD pipeline to ensure that all future GitHub Actions additions or updates are enforced to use SHA-1 hashes.
Test suggestions
- Pin actions/checkout to SHA in all workflows
- Pin tj-actions/changed-files to SHA in deleted-files.yml
- Pin thollander/actions-comment-pull-request to SHA in deleted-files.yml
- Pin actions/setup-node to SHA in docusaurus.yml
- Pin peaceiris/actions-gh-pages to SHA in docusaurus.yml
- Pin atlassian/gajira actions to SHA in jira.yml
- Pin actions/github-script to SHA in jira.yml
- Pin Rebilly/lexi to SHA in readability.yml
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Pin Rebilly/lexi to SHA in readability.yml
🗒️ Improve review quality by adding custom instructions
|
|
||
| - name: Add comment to GitHub issue | ||
| uses: actions/github-script@v7 | ||
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 |
There was a problem hiding this comment.
🔴 HIGH RISK
The SHA f28e40c7f34bde8b3046d885e986cb6290c5673b corresponds to v4.0.2. Please update to the latest v7 SHA to ensure compatibility with 'github.rest.issues.createComment'.
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffec1c3799cdea # v7.0.1 |
|
|
||
| - name: Update title of GitHub issue | ||
| uses: actions/github-script@v7 | ||
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 |
There was a problem hiding this comment.
🔴 HIGH RISK
The SHA f28e40c7f34bde8b3046d885e986cb6290c5673b corresponds to v4.0.2. Since this script relies on 'github.rest' (introduced in v5), using v4 will cause a ReferenceError at runtime. Please update to the latest v7 SHA.
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffec1c3799cdea # v7.0.1 |
| steps: | ||
| - name: Checkout repo with history | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The SHA 34e114876b0b11c390a56381ad16ebd13914f8d5 corresponds to v2.4.2. Use the correct SHA for the current v4 release.
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
|
|
||
| - name: Setup Node | ||
| uses: actions/setup-node@v4 | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The SHA 49933ea5288caeca8642d1e84afbd3f7d6820020 corresponds to v3.8.1. To match the intended version v4, use the correct SHA for the latest v4 release.
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| uses: actions/setup-node@1d71ad2e3bb7c1861502197f1f3ad01a9bd8107c # v4.0.2 |
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The SHA 34e114876b0b11c390a56381ad16ebd13914f8d5 corresponds to v2.4.2. Please use the SHA for the latest v4 release instead.
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The SHA 34e114876b0b11c390a56381ad16ebd13914f8d5 corresponds to v2.4.2. Since the workflow was using v4, please use the correct SHA for the latest v4 release.
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
.github/workflows/readability.yml
Outdated
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: Rebilly/lexi@v2 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: The 'Rebilly/lexi@v2' action remains pinned to a mutable version tag. To meet the security objectives of this PR, please pin this to a specific SHA-1 hash and include the version tag as a comment.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
17af98c to
ddd6e46
Compare
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.