Security: pin GitHub Actions to SHA hashes

[jorgebraz]

Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.

This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.

Auto-generated by the Codacy security audit script.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Alerts:

"

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes. Give us feedback}

[codacy-production]

Pull Request Overview

While this PR correctly implements the security requirement of pinning GitHub Actions to SHA hashes, it introduces a critical regression. The SHA hash used for actions/github-script corresponds to version v3.0.0, but the workflow comments and existing script logic are based on v2.0.0.

This discrepancy is a 'breaking change' because v3.0.0 of this action changed the underlying Octokit client structure (e.g., github.issues moved to github.rest.issues), which will cause all issue-related workflows in this PR to fail upon execution. This must be corrected to use the v2.0.0 SHA before merging.

About this PR

• The PR performs an unrequested major version upgrade of 'actions/github-script' from v2.0.0 to v3.0.0 via the SHA hash provided. This may introduce breaking changes to the repository's CI/CD automation logic that were not part of the original scope.

Test suggestions

• Verify that all 'uses' directives in workflow files now reference a 40-character SHA instead of a tag.
• Validate that the pinned SHA for 'actions/github-script' corresponds to the v2.0.0 tag specified in the comments.
• Ensure workflow files pass YAML validation and 'actionlint' or similar GitHub Actions schema checks.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that all 'uses' directives in workflow files now reference a 40-character SHA instead of a tag.
2. Validate that the pinned SHA for 'actions/github-script' corresponds to the v2.0.0 tag specified in the comments.
3. Ensure workflow files pass YAML validation and 'actionlint' or similar GitHub Actions schema checks.

---

🗒️ Improve review quality by adding custom instructions

[codacy-production]

_{🔴 HIGH RISK}

The commit SHA 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 corresponds to v3.0.0, which is incompatible with the v2.0.0 syntax used in the scripts in this file.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@7467688031e40c0f991f865391c9533f811df4f6 # v2.0.0

[codacy-production]

_{🔴 HIGH RISK}

The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 corresponds to v3.0.0, not v2.0.0. This is incompatible with the github.issues calls used later in this workflow.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@7467688031e40c0f991f865391c9533f811df4f6 # v2.0.0

[codacy-production]

_{🔴 HIGH RISK}

The SHA hash 6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 points to v3.0.0 of actions/github-script, whereas the comment and requirements specify v2.0.0. This upgrade introduces breaking changes to the Octokit client (e.g., github.issues vs github.rest.issues) that will break the scripts used in this workflow.

Suggested change

	uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
	uses: actions/github-script@7467688031e40c0f991f865391c9533f811df4f6 # v2.0.0