Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR improves security by pinning actions to SHAs, it introduces a major version mismatch for the actions/github-script action across all modified workflow files. The commit SHA used points to v3.1.0, but the accompanying comments suggest an intent to use v2.0.0. This could lead to breaking changes in your workflow scripts. Please ensure the SHA matches the intended version before merging. Codacy analysis shows the PR is up to standards.

About this PR

• Systemic mismatch identified: The commit SHA used for actions/github-script across all workflows refers to version v3.1.0, but is labeled as v2.0.0. This major version upgrade includes breaking changes in the Octokit library that may affect script execution.

Test suggestions

• Verify that all instances of actions/github-script are pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
• Verify that all instances of atlassian/gajira-login are pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed.
• Verify that all instances of atlassian/gajira-create are pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183.
• Verify that all instances of atlassian/gajira-comment are pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that all instances of actions/github-script are pinned to SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.
2. Verify that all instances of atlassian/gajira-login are pinned to SHA 90a599561baaf8c05b080645ed73db7391c246ed.
3. Verify that all instances of atlassian/gajira-create are pinned to SHA c0a9c69ac9d6aa063fed57201e55336ada860183.
4. Verify that all instances of atlassian/gajira-comment are pinned to SHA 8ec356b5df49f1325653db7ee2da2b59a1d78203.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🟡 MEDIUM RISK}

The commit SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 corresponds to version v3.1.0. To maintain consistency with the stated version v2.0.0 and avoid potential breaking changes in Octokit, use the correct SHA for v2.0.0.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0731f4a95726224e2c90666614138e6141315589 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The commit SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 corresponds to v3.1.0, which contradicts the # v2.0.0 label. If the intention is to remain on version 2, please use the correct SHA.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0731f4a95726224e2c90666614138e6141315589 # v2.0.0

[codacy-production]

_{🟡 MEDIUM RISK}

The commit SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 points to version v3.1.0, but the comment indicates v2.0.0. This mismatch should be resolved by using the correct SHA for v2.0.0 to prevent unexpected breaking changes from a major version jump.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@0731f4a95726224e2c90666614138e6141315589 # v2.0.0