Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

This PR successfully addresses the security requirement of pinning GitHub Actions to immutable commit SHAs across all workflows. However, the review identified several critical issues within the modified files that should be addressed before merging to ensure reliability and full security hardening.

Major concerns include asynchronous API calls that are not awaited, which will cause non-deterministic behavior in issue syncing, and a regex implementation lacking null-safety. Additionally, while the PR improves security by pinning actions, the workflows continue to use direct expression interpolation in github-script blocks, which remains a vector for injection attacks. Addressing these logic and security gaps is recommended to complement the pinning of actions.

About this PR

• A recurring pattern of missing await keywords on asynchronous Octokit calls was found across all three workflow files. This will lead to race conditions where actions terminate before API requests complete.
• While pinning actions to SHAs is a significant security improvement, several workflows continue to use direct expression interpolation (${{ ... }}) inside github-script blocks. This pattern is vulnerable to script injection if the context values are manipulated. It is highly recommended to transition these to environment variables as part of this security-focused PR.

Test suggestions

• Verify all instances of 'actions/github-script' are pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45
• Verify all instances of 'atlassian/gajira-login' are pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed
• Verify 'atlassian/gajira-comment' is pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203
• Verify all instances of 'atlassian/gajira-create' are pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🟡 MEDIUM RISK}

Asynchronous API calls should be awaited to ensure the action does not terminate prematurely. Add await to the github.issues.update and github.issues.createComment calls.

Try running the following prompt in your coding agent:

Add await to all asynchronous GitHub API calls in .github/workflows/create_issue_on_label.yml.

[codacy-production]

_{🟡 MEDIUM RISK}

The asynchronous calls to github.issues.update and github.issues.addLabels are not awaited. This can cause the action to finish before the API requests are completed. Add the await keyword to all asynchronous Octokit calls.

Try running the following prompt in your coding agent:

Update the github-script blocks in .github/workflows/create_issue.yml to await all github.issues API calls.

[codacy-production]

_{🟡 MEDIUM RISK}

The regex match result is accessed directly without a null check. This will cause the workflow to fail if the issue title doesn't match the Jira pattern (e.g. for bot comments or unrelated issues). Consider adding a check for the match result before accessing index 1.

Try running the following prompt in your coding agent:

In .github/workflows/comment_issue.yml, update the Extract Jira number script to safely handle cases where the regex match might be null.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Avoid direct interpolation in the script at line 81. Use environment variables to pass steps.create_jira_issue.outputs.issue and secrets.JIRA_BASE_URL into the script context.

Try running the following prompt in your IDE agent:

In .github/workflows/create_issue_on_label.yml, update the Add comment after sync step to pass steps.create_jira_issue.outputs.issue and secrets.JIRA_BASE_URL as environment variables.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Directly interpolating values into the script string (line 89) is less secure than using environment variables. To follow best practices and maintain consistency with other parts of the workflow, pass these values via the env block.

Try running the following prompt in your IDE agent:

In .github/workflows/create_issue.yml, update the Add comment after sync step to pass steps.create_jira_issue.outputs.issue and secrets.JIRA_BASE_URL as environment variables.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: Accessing github.event.issue.labels via direct interpolation is risky. It should be passed via env to avoid potential code injection.

Try running the following prompt in your IDE agent:

In .github/workflows/comment_issue.yml, update the Check if GitHub Issue has JIRA_ISSUE_LABEL step to pass github.event.issue.labels as a JSON string in an environment variable, then parse it using JSON.parse(process.env.LABELS) inside the script.

[codacy-production]

_{🟡 MEDIUM RISK}

Suggestion: While pinning actions to SHAs is a great security improvement, the script on line 26 still uses direct interpolation of the GitHub context. This can be vulnerable to injection attacks if the context values (like issue data) are manipulated. Use environment variables instead.

Try running the following prompt in your IDE agent:

In .github/workflows/comment_issue.yml, update the Check GitHub Issue type step to pass github.event.issue.pull_request as an environment variable and use process.env in the script to check for its existence.