security: harden release-5.12 — pin actions, dep guard, fix installs (#7956)

## Summary
- **Pin ALL GitHub Actions to SHA-256** across all 15 workflow files —
every `uses:` now references a full commit hash with original tag as
comment
- **Update ALL TykTechnologies/github-actions refs** to
`@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785` (main)
- **Add dependency guard** (`dep-guard` job) to 5 workflows with
`pull_request` triggers that run build/install commands: ci-tests,
codeql-analysis, lint-swagger, plugin-compiler-build, release
- **Fix unsafe install commands**: `pip install` → `--no-deps`, `npm
install` → `--ignore-scripts` + pinned version, all `go install` in
Taskfiles pinned to commit SHA
- **Pin Docker images**: `tykio/ci-tools:latest` →
`tykio/ci-tools@sha256:1796c0...` (3 occurrences)
- **Flag curl|bash**: Added TODO comments before 2 `curl | bash` lines
in release.yml

Same hardening as master (PR #7943). Part of org-wide supply chain
security hardening.

## Test plan
- [ ] Verify CI workflows still pass (dep-guard should be transparent
for non-dependency PRs)
- [ ] Confirm all action SHAs resolve correctly
- [ ] Verify `labeled` type addition doesn't break existing PR triggers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: buger

.github/workflows/ci-tests.yml

@@ -12,6 +12,7 @@ on:
       - reopened
       - synchronize
       - ready_for_review
+      - labeled
   push:
     branches:
       - master
@@ -27,12 +28,19 @@ env:
   BRANCH_NAME: ${{ github.base_ref || github.ref_name }} # base_ref for PRs is 'master', but merges read in ref_name
 
 jobs:
+  dep-guard:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   lint:
+    needs: [dep-guard]
     runs-on: ubuntu-latest
     if: ${{ !github.event.pull_request.draft }}
     steps:
       - name: "Checkout PR"
-        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
+        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
         with:
           token: ${{ secrets.ORG_GH_TOKEN }}
 
@@ -42,15 +50,15 @@ jobs:
           git rev-parse origin/${{ env.BRANCH_NAME }}
 
       - name: Setup Golang
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff  # v5
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
 
       - name: Setup CI Tooling
-        uses: shrink/actions-docker-extract@v3
+        uses: shrink/actions-docker-extract@04c17c51a5b9fd93b7aed2e05e86c8fe2d90ee52  # v3
         with:
-          image: tykio/ci-tools:latest
+          image: tykio/ci-tools@sha256:1796c0938247f42c580c501f7cd04e1144a59a62c6d8ba743572ff40371e1306  # latest
           path: /usr/local/bin/.
           destination: /usr/local/bin
 
@@ -64,7 +72,7 @@ jobs:
           task --exit-code lint:check-git-state MESSAGE="task tidy made git state dirty, please run task lint locally and update PR"
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8
         timeout-minutes: 20
         with:
           version: v2.5.0
@@ -75,7 +83,7 @@ jobs:
           skip-cache: false
           skip-save-cache: false
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         if: ${{ always() }}
         with:
           name: golangcilint
@@ -102,7 +110,7 @@ jobs:
 
     steps:
       - name: Checkout Tyk
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
         with:
           ref: ${{ github.ref }}
 
@@ -114,7 +122,7 @@ jobs:
       # Regardless that the base image provides a python release, we need
       # setup-python so it properly configures the python3-venv.
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -125,14 +133,14 @@ jobs:
         run: pip -V && pip3 -V
 
       - name: Setup CI Tooling
-        uses: shrink/actions-docker-extract@v3
+        uses: shrink/actions-docker-extract@04c17c51a5b9fd93b7aed2e05e86c8fe2d90ee52  # v3
         with:
-          image: tykio/ci-tools:latest
+          image: tykio/ci-tools@sha256:1796c0938247f42c580c501f7cd04e1144a59a62c6d8ba743572ff40371e1306  # latest
           path: /usr/local/bin/.
           destination: /usr/local/bin
 
       - name: Setup Golang
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff  # v5
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
@@ -142,10 +150,10 @@ jobs:
         run: |
           sudo apt-get install libluajit-5.1-dev
 
-          python -m pip install --upgrade pip
-          pip install setuptools
-          pip install google
-          pip install 'protobuf==4.24.4'
+          python -m pip install --no-deps --upgrade pip
+          pip install --no-deps setuptools
+          pip install --no-deps google
+          pip install --no-deps 'protobuf==4.24.4'
 
       - name: Bring up test services
         run: task services:up
@@ -160,14 +168,14 @@ jobs:
           task test:e2e-combined args="-race -timeout=15m"
           task test:coverage
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         if: ${{ always() }}
         with:
           name: coverage
           retention-days: 1
           path: coverage/gateway-all.cov
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
         if: ${{ always() }}
         with:
           name: testjson
@@ -180,23 +188,23 @@ jobs:
     needs: [test, lint]
     steps:
       - name: "Checkout repository"
-        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
+        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
         with:
           token: ${{ secrets.ORG_GH_TOKEN }}
 
       - name: Download coverage artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
         with:
           name: coverage
 
       - name: Download golangcilint artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4
         with:
           name: golangcilint
 
       - name: Check reports existence
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6  # v3
         with:
           files: 'gateway-all.cov, golangci-lint-report.json'
           fail: true
@@ -230,7 +238,7 @@ jobs:
 
       - name: Scan
         if: always()
-        uses: sonarsource/sonarqube-scan-action@master
+        uses: sonarsource/sonarqube-scan-action@3988e54db2467c7e9583a4af619c3f5647d6b8ad  # master
         with:
           args: ${{ steps.sonar_params.outputs.sonar_args }}
         env:

.github/workflows/codeql-analysis.yml

@@ -8,6 +8,12 @@ name: "CodeQL"
 on:
   pull_request:
     branches: [master]
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - labeled
   schedule:
     - cron: '0 18 * * 4'
 
@@ -16,7 +22,14 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  dep-guard:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   analyze:
+    needs: [dep-guard]
     name: Analyze
     if: ${{ !github.event.pull_request.draft }}
     runs-on: ubuntu-latest
@@ -32,7 +45,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -44,13 +57,13 @@ jobs:
       if: ${{ github.event_name == 'pull_request' }}
 
     - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff  # v5
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88  # v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,7 +74,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88  # v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -75,4 +88,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88  # v2

.github/workflows/force-merge.yaml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   call_force_merge:
-    uses: TykTechnologies/github-actions/.github/workflows/force-merge.yaml@main
+    uses: TykTechnologies/github-actions/.github/workflows/force-merge.yaml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
     secrets:
       ADMIN_PAT: ${{ secrets.ORG_GH_TOKEN }}
       SLACK_WEBHOOK_URL: ${{ secrets.FORCE_MERGE_SLACK_WEBHOOK }}

.github/workflows/intelligent-branch-recomendations.yml

@@ -12,7 +12,14 @@ permissions:
   contents: read
 
 jobs:
+  dep-guard:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   branch-suggestions:
-    uses: TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml@main
+    needs: [dep-guard]
+    uses: TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
     secrets:
       JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}

.github/workflows/jira-pr-validator.yaml

@@ -9,12 +9,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  dep-guard:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   validate:
+    needs: [dep-guard]
     if: ${{ !github.event.pull_request.draft }}
     runs-on: ubuntu-latest
     steps:
       - name: Validate Jira ticket
-        uses: TykTechnologies/jira-linter@main
+        uses: TykTechnologies/jira-linter@38a9cabef56171c4e52ea698fa7be3db5fca3a49  # main
         with:
           jira-base-url: 'https://tyktech.atlassian.net'
           jira-api-token: ${{ secrets.JIRA_TOKEN }}

.github/workflows/lint-swagger.yml

@@ -4,6 +4,12 @@ name: "Lint swagger schema"
 
 on:
   pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - labeled
     paths:
       - 'swagger.yml'
 
@@ -12,21 +18,28 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  dep-guard:
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   redocly_validator:
+    needs: [dep-guard]
     runs-on: ubuntu-latest
     name: Validate the swagger with redocly cli
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
         with:
           node-version: 20
       - name: Validate OpenAPI definition with redocly
         run: |
-          npm install @redocly/cli -g
+          npm install --ignore-scripts @redocly/cli@1.34.3 -g
           redocly lint swagger.yml --config=redocly.yml
 
   diff_swagger:
+    needs: [dep-guard]
     name: Diff swagger yaml for comment
     runs-on: ubuntu-latest
 
@@ -38,12 +51,12 @@ jobs:
           git config --global url."https://${TOKEN}@github.com".insteadOf "https://github.com"
 
       - name: Checkout repo
-        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
+        uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
         with:
           token: ${{ secrets.ORG_GH_TOKEN }}
 
       - name: Setup Golang
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff  # v5
         with:
           go-version: stable
 
@@ -87,15 +100,15 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Find Comment
-        uses: peter-evans/find-comment@v2
+        uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1  # v2
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: Swagger Changes
 
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v3
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2  # v3
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/lint.yml

@@ -13,9 +13,16 @@ concurrency:
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  dep-guard:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
+    permissions:
+      contents: read
+
   godoc:
+    needs: [dep-guard]
     if: ${{ !github.event.pull_request.draft }}
-    uses: TykTechnologies/github-actions/.github/workflows/godoc.yml@main
+    uses: TykTechnologies/github-actions/.github/workflows/godoc.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785  # main
     secrets:
       ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
     with: