Security: pin GitHub Actions to SHA hashes#2619
Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). NOT_FOUND actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly identifies the need for security hardening by pinning GitHub Actions to SHA hashes, it currently fails to meet its objective due to critical syntax errors. The automation used to resolve SHAs failed for 'calibreapp/image-actions' and 'errata-ai/vale-action', inserting 'Not Found' error strings into the YAML files that will cause CI failures. Additionally, the 'Rebilly/lexi' action was missed, and there are version comment inconsistencies in the mkdocs workflow. These issues must be resolved before merging to ensure pipeline stability.
About this PR
- The action 'Rebilly/lexi@v2' in '.github/workflows/readability.yml' was missed during this update and remains pinned to a mutable tag. It should be updated to a full SHA hash to ensure full coverage of the security hardening objective.
Test suggestions
- Verify syntax validity of all modified YAML workflow files.
- Verify all 'uses' statements in '.github/workflows/' are pinned to valid hex SHAs.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify syntax validity of all modified YAML workflow files.
2. Verify all 'uses' statements in '.github/workflows/' are pinned to valid hex SHAs.
Low confidence findings
- The PR lacks a validation step (such as action-validator) to ensure that the new SHA-based workflow files are syntactically correct. Given the 'Not Found' strings introduced in this PR, adding such a check to the CI process would prevent invalid YAML from being merged.
🗒️ Improve review quality by adding custom instructions
|
|
||
| - name: Vale | ||
| uses: errata-ai/vale-action@reviewdog | ||
| uses: errata-ai/vale-action@{message:Not Found # reviewdog |
There was a problem hiding this comment.
🔴 HIGH RISK
The 'uses' string is malformed with an '@{message:Not Found' error. This indicates the pinning tool failed to resolve the 'reviewdog' reference. This must be corrected to a valid SHA to prevent workflow execution failure.
| uses: errata-ai/vale-action@{message:Not Found # reviewdog | |
| uses: errata-ai/vale-action@433be9264c9d9681313460877969ec1161a0709b # reviewdog |
| - name: Compress images | ||
| id: calibre | ||
| uses: calibreapp/image-actions@main | ||
| uses: calibreapp/image-actions@{message:Not Found # main |
There was a problem hiding this comment.
🔴 HIGH RISK
The 'uses' string contains a corrupted reference '@{message:Not Found # main'. This is invalid YAML and will cause the workflow to fail. Replace the error message with the correct 40-character commit SHA.
| uses: calibreapp/image-actions@{message:Not Found # main | |
| uses: calibreapp/image-actions@6627f4d0ef925a3d70650d51790407727e029ba7 # main |
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: The version comment '# v6' is incorrect as v6 of 'actions/checkout' does not exist (v4 is the current major version). Furthermore, the SHA used here (de0fac2...) is inconsistent with the v4 SHA (34e1148...) used elsewhere in this PR. Standardizing these references improves maintainability.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.