Security: pin GitHub Actions to SHA hashes#39
Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR aims to improve supply chain security by pinning GitHub Actions to SHA hashes, it fails to address the most critical action: actions/checkout. In both build.yml and release.yml, this action remains pinned to the mutable @master branch, leaving the environment vulnerable to unreviewed code changes.
Furthermore, several other actions identified in the requirement analysis remain unpinned or use deprecated versions. The release process also utilizes version: latest for GoReleaser, which introduces non-determinism into the build pipeline. These issues directly contradict the security objectives of the PR and should be resolved before merging.
About this PR
- The action
actions/checkout@masterremains unpinned across all workflows. This contradicts the PR's objective and leaves the pipeline vulnerable to supply chain attacks, as the code executed by this action can change without notice.
1 comment outside of the diff
.github/workflows/release.yml
line 12🔴 HIGH RISK
Please pinactions/checkout@masterto a specific commit SHA. Relying on a mutable branch in a release environment is a high-risk security gap that contradicts the intent of this PR.Try running the following prompt in your IDE agent:
Find the latest commit SHA for
actions/checkoutand update line 12 in.github/workflows/release.ymlto use that SHA instead of@master.
Test suggestions
- The actions/checkout action is pinned to an immutable SHA hash
- The actions/setup-go action is pinned to an immutable SHA hash
- The codacy/git-version action is pinned to an immutable SHA hash
- The docker/login-action action is pinned to an immutable SHA hash
- The goreleaser/goreleaser-action action is pinned to an immutable SHA hash
- The aws-actions/configure-aws-credentials action is pinned to an immutable SHA hash
- The codacy/pulse-action action is pinned to an immutable SHA hash
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. The actions/checkout action is pinned to an immutable SHA hash
2. The actions/setup-go action is pinned to an immutable SHA hash
3. The codacy/git-version action is pinned to an immutable SHA hash
4. The docker/login-action action is pinned to an immutable SHA hash
5. The goreleaser/goreleaser-action action is pinned to an immutable SHA hash
6. The aws-actions/configure-aws-credentials action is pinned to an immutable SHA hash
7. The codacy/pulse-action action is pinned to an immutable SHA hash
🗒️ Improve review quality by adding custom instructions
| steps: | ||
| - uses: actions/checkout@master | ||
| - uses: actions/setup-go@v2 | ||
| - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The actions/checkout@master step is not pinned to a SHA. For a security-focused PR, it is essential to pin all actions—especially checkout, which has access to the entire codebase—to a specific commit hash to prevent supply chain attacks.
Try running the following prompt in your coding agent:
Update the
actions/checkoutstep on line 11 of.github/workflows/build.ymlto use a specific commit SHA, such asactions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332(v4.1.7).
| docker push "codacy/pulse-event-cli:latest" | ||
| - name: Push binaries to GitHub | ||
| uses: goreleaser/goreleaser-action@v6 | ||
| uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: Pinning the action SHA secures the execution wrapper, but version: latest still pulls a mutable binary at runtime. This makes the release process non-deterministic. Consider pinning the GoReleaser version to a specific release like v2.1.0.
| # Will fetch all history and tags required to generate version | ||
| fetch-depth: 0 | ||
| - uses: actions/setup-go@v2 | ||
| - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: The actions/setup-go@v2 action is deprecated as it relies on Node.js 12. You should upgrade to v5 while pinning the SHA to ensure compatibility with modern GitHub runners.
| - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2 | |
| - uses: actions/setup-go@0ad4b8f35a13ee4665a0022f3d919229a46975a6 # v5 |
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
7105847 to
8c3296c
Compare
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.