Skip to content

Security: pin GitHub Actions to SHA hashes#2620

Merged
afsmeira merged 2 commits intomasterfrom
security/pin-actions-to-sha
Apr 17, 2026
Merged

Security: pin GitHub Actions to SHA hashes#2620
afsmeira merged 2 commits intomasterfrom
security/pin-actions-to-sha

Conversation

@jorgebraz
Copy link
Copy Markdown
Contributor

@jorgebraz jorgebraz commented Mar 24, 2026

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

@jorgebraz jorgebraz requested a review from a team as a code owner March 24, 2026 17:36
@github-actions github-actions bot temporarily deployed to Netlify March 24, 2026 17:38 Inactive
@codacy-production
Copy link
Copy Markdown
Contributor

codacy-production bot commented Mar 24, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes. Give us feedback

codacy-production[bot]
codacy-production bot reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@codacy-production codacy-production bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While this PR successfully pins most GitHub Actions to SHA hashes, there are inconsistencies and omissions that undermine the security goals. Specifically, the actions/checkout action in mkdocs.yml uses an incorrect major version and a SHA hash inconsistent with other files in this PR. Furthermore, the Rebilly/lexi action remains pinned to a mutable tag, which contradicts the stated acceptance criteria and leaves the workflow vulnerable to supply chain attacks. Although Codacy analysis indicates the PR is 'up to standards', these functional alignment issues should be resolved to ensure the security policy is applied uniformly.

About this PR

  • The security hardening is incomplete; while most actions were updated, at least one third-party action was overlooked. To meet the security objectives, every action reference must be pinned to an immutable SHA hash to prevent tag-shifting attacks.

Test suggestions

  • Verify that 'actions/checkout' is pinned to a SHA hash in all workflow files
  • Verify that third-party actions like 'tj-actions/changed-files' and 'atlassian/gajira' are pinned to SHA hashes
  • Verify that the 'Rebilly/lexi' action in 'readability.yml' is pinned to a SHA hash
Prompt proposal for missing tests 
Consider implementing these tests if applicable:
1. Verify that the 'Rebilly/lexi' action in 'readability.yml' is pinned to a SHA hash

🗒️ Improve review quality by adding custom instructions

Comment thread .github/workflows/mkdocs.yml
Comment thread .github/workflows/readability.yml Outdated
Security: pin GitHub Actions to SHA hashes
3473b3f 
Replaces mutable tag/branch references with immutable SHA hashes
to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026).

Actions left as tags: 0
@jorgebraz jorgebraz force-pushed the security/pin-actions-to-sha branch from 99233f5 to 3473b3f Compare March 24, 2026 18:12
@github-actions github-actions bot temporarily deployed to Netlify March 24, 2026 18:14 Inactive
@afsmeira afsmeira removed the request for review from a team April 17, 2026 11:04
@afsmeira afsmeira enabled auto-merge (squash) April 17, 2026 11:05
@github-actions github-actions bot temporarily deployed to Netlify April 17, 2026 11:06 Inactive
@afsmeira afsmeira merged commit e4f2d77 into master Apr 17, 2026
5 checks passed
@afsmeira afsmeira deleted the security/pin-actions-to-sha branch April 17, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@afsmeira afsmeira afsmeira approved these changes

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jorgebraz @afsmeira