Security: pin GitHub Actions to SHA hashes#9
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR successfully implements the security requirement of pinning GitHub Actions to immutable SHA hashes. While the code is technically 'up to standards' according to Codacy, the review identified a regression in .github/workflows/auto-merge.yml where the pinned SHA points to an outdated version (v1.1.1) instead of the v1.6.0 version currently in use via tags. Furthermore, the actions/checkout usage in .github/workflows/codeql.yml relies on the deprecated Node.js 16 runtime. Addressing these versioning concerns is necessary to maintain workflow reliability.
Test suggestions
- Verify dependabot/fetch-metadata in auto-merge.yml is pinned to a SHA hash.
- Verify actions/checkout in codeql.yml is pinned to a SHA hash.
- Verify github/codeql-action steps (init, autobuild, analyze) in codeql.yml are pinned to SHA hashes.
🗒️ Improve review quality by adding custom instructions
| - name: Fetch Dependabot metadata | ||
| id: dependabot-metadata | ||
| uses: dependabot/fetch-metadata@v1 | ||
| uses: dependabot/fetch-metadata@8348ea7f5d949b08c7f125a44b569c9626b05db3 # v1 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The hash 8348ea7f5d949b08c7f125a44b569c9626b05db3 pins the action to version v1.1.1. Since the workflow previously used the @v1 tag (resolving to v1.6.0), this change introduces a regression. It is recommended to pin to the latest stable release for that major version to avoid reintroducing resolved issues.\n\nsuggestion\n uses: dependabot/fetch-metadata@c9c4182bf1b97f5224a132144d9358cd1d819911 # v1.6.0\n
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 |
There was a problem hiding this comment.
⚪ LOW RISK
Suggestion: The actions/checkout@v3 action is powered by Node.js 16, which is deprecated. Upgrading to v4 ensures compatibility with the Node.js 20 runtime environment.\n\nsuggestion\n uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7\n
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.