Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

This PR implements security hardening by pinning GitHub Actions to immutable SHA-1 hashes, which is aligned with security best practices; Codacy quality standards are met. However, a critical logic bug was identified in .github/workflows/comment_issue.yml where incorrect variable scoping in if conditions prevents steps from executing. Additionally, there is a recurring discrepancy across all files where actions/github-script is pinned to a SHA for v3.1.0 while being labeled as v2.0.0 in the comments. These issues must be addressed to ensure the workflows function correctly and remain maintainable.

About this PR

• Systemic inconsistency detected: The SHA hash used for actions/github-script (6e5ee1d...) corresponds to version v3.1.0, but the inline comments label it as v2.0.0. Please ensure the SHA and the version tag in the comment are synchronized to the intended version.

Test suggestions

• Verify 'Comment issue on Jira' workflow executes successfully with pinned actions
• Verify 'Create issue on Jira' workflow executes successfully with pinned actions
• Verify 'Create issue on Jira when labeled' workflow executes successfully with pinned actions

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify 'Comment issue on Jira' workflow executes successfully with pinned actions
2. Verify 'Create issue on Jira' workflow executes successfully with pinned actions
3. Verify 'Create issue on Jira when labeled' workflow executes successfully with pinned actions

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The if condition for this step relies on env.GITHUB_ISSUE_TYPE and env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL, which are not defined in the job-level environment. Consequently, this step will never execute. Use step outputs directly in the condition.

[codacy-production]

_{🟡 MEDIUM RISK}

The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 belongs to v3.1.0. To pin to v2.0.0 as specified in the comment, use the correct SHA.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@76387de5877f864e405d45d31139454174312781 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 belongs to v3.1.0. To pin to v2.0.0 as specified in the comment, use the correct SHA.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@76387de5877f864e405d45d31139454174312781 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 belongs to v3.1.0. To strictly pin to v2.0.0 as specified in the comment, use the correct SHA.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@76387de5877f864e405d45d31139454174312781 # v2.0.0