Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly pins most GitHub Actions to SHA hashes, it fails to meet its complete acceptance criteria by overlooking the ahmadnassri/action-dependabot-auto-merge action in .github/workflows/auto-merge.yml. Additionally, Codacy has flagged the project as not up to standards due to a high-severity security risk in that same workflow: the combination of pull_request_target with a checkout of the incoming pull request's head. This pattern potentially allows untrusted code to run in a privileged context. Both the missing SHA pin and this vulnerability should be addressed to maintain the security integrity of the repository.
About this PR
- The PR description indicates that all GitHub Actions have been pinned to hashes, but the implementation in
.github/workflows/auto-merge.ymlis incomplete. Please ensure the PR description aligns with the final changes or complete the pinning for all actions.
Test suggestions
- Verify actions/checkout in auto-merge.yml is pinned to a SHA
- Verify actions/github-script in multiple workflows is pinned to a SHA
- Verify atlassian/gajira actions (login, create, comment) are pinned to SHAs
- Verify ahmadnassri/action-dependabot-auto-merge in auto-merge.yml is pinned to a SHA
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify ahmadnassri/action-dependabot-auto-merge in auto-merge.yml is pinned to a SHA
🗒️ Improve review quality by adding custom instructions
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The action ahmadnassri/action-dependabot-auto-merge@v2 is not pinned to a SHA hash, leaving a gap in the supply chain security policy this PR intended to implement. Furthermore, using pull_request_target while checking out the head of the incoming pull request is a significant security vulnerability, as it allows potentially untrusted code to run with repository secrets. Since this workflow's purpose is to auto-merge via an API-based action, the checkout step may be unnecessary. Please pin the action to a specific SHA and refactor the workflow to avoid checking out untrusted code in a privileged context.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
6c8893f to
d6c2552
Compare
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.