Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR correctly identifies the security requirement of pinning GitHub Actions to immutable commit SHAs, the implementation contains critical errors that should prevent merging. Several commit SHAs provided do not match the associated version tags or the target actions, which will cause immediate CI/CD failures. Additionally, the PR leaves a deprecated version of github-script (v2) in place; this version relies on Node.js 12, which is no longer supported by GitHub Actions runners. Although Codacy identifies the PR as 'Up to Standards', these functional defects in the workflow configuration are blockers.

About this PR

• No automated validation or linting was added to ensure that future workflow changes continue to use SHAs instead of tags. Consider adding a linter like 'actionlint' to the CI pipeline to enforce this security standard automatically.

Test suggestions

• Verify 'actions/checkout' still resolves correctly using SHA 34e114876b0b11c390a56381ad16ebd13914f8d5.
• Verify 'dependabot/fetch-metadata' still resolves correctly using SHA 21025c705c08248db411dc16f3619e6b5f9ea21a.
• Verify 'atlassian/gajira' actions still resolve correctly using the new commit SHAs.
• Verify 'actions/github-script' still resolves correctly using SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify 'actions/checkout' still resolves correctly using SHA 34e114876b0b11c390a56381ad16ebd13914f8d5.
2. Verify 'dependabot/fetch-metadata' still resolves correctly using SHA 21025c705c08248db411dc16f3619e6b5f9ea21a.
3. Verify 'atlassian/gajira' actions still resolve correctly using the new commit SHAs.
4. Verify 'actions/github-script' still resolves correctly using SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45.

Low confidence findings

• The PR description references a 'TeamPCP/Trivy incident (March 2026)', which appears to be a placeholder or a future-dated typo.

---

🗒️ Improve review quality by adding custom instructions