Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR correctly implements SHA pinning for GitHub Actions, it introduces or maintains high-severity security and logic flaws that must be addressed. Specifically, the .github/workflows/comment_issue.yml file contains a script injection vulnerability due to direct context interpolation and a workflow logic error where step-level environment variables are used in 'if' conditions before they are initialized, which will result in skipped steps. Additionally, the use of deprecated runtimes and lack of error handling in regex matching should be corrected. These security and functional issues should prevent merging in their current state.

About this PR

• The hardening effort is undermined by script injection risks and invalid workflow logic. Ensure that all context data passed to scripts is handled via environment variables rather than direct string interpolation, and that step conditions rely on previous step outputs instead of local environment variables which are not yet available at evaluation time.

Test suggestions

• Verify all instances of 'actions/github-script' are updated to use the SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
• Verify all instances of 'atlassian/gajira-login' are updated to use the SHA hash 90a599561baaf8c05b080645ed73db7391c246ed.
• Verify 'atlassian/gajira-create' is updated to use the SHA hash c0a9c69ac9d6aa063fed57201e55336ada860183.
• Verify 'atlassian/gajira-comment' is updated to use the SHA hash 8ec356b5df49f1325653db7ee2da2b59a1d78203.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The 'if' condition for this step relies on environment variables defined at the step level (e.g., env.GITHUB_ISSUE_TYPE). In GitHub Actions, 'if' conditionals are evaluated before the step-level environment is set up, meaning these variables will be undefined and the step will be skipped. Access the previous steps' outputs directly using the 'steps' context instead (e.g., 'steps.github_issue_type.outputs.result').

[codacy-production]

_{🔴 HIGH RISK}

This script block contains a high-risk code injection vulnerability by directly interpolating GitHub context values using ${{ }}. Pass context data (like labels or titles) through the 'env' block and access them via 'process.env' instead. Additionally, 'actions/github-script@v2' is deprecated as it relies on the end-of-life Node 12 runtime; consider upgrading to v7 (SHA 60a0d83039c74a4aee543508d2ff4a7df0bd5ad0) to ensure compatibility with modern runners.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Add a check to ensure the regex match is successful before accessing the capture group. Currently, if the issue title does not match the expected pattern, 'match()' will return null and the workflow will fail with a TypeError when accessing index [1].