Skip to content

[TT-16950] fix: sync security hardening from release-5.12 (#7956) #8070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buger merged 1 commit into from
Apr 17, 2026
Merged

[TT-16950] fix: sync security hardening from release-5.12 (#7956) #8070

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 30 additions & 22 deletions .github/workflows/ci-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@
- release-**
types:
- opened
- reopened
- synchronize
- ready_for_review
- labeled
push:

Check warning on line 16 in .github/workflows/ci-tests.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the entire workflow, including the full test suite, to re-run every time a label is added or removed. This is often unnecessary and can lead to wasted CI resources and increased wait times for developers.
Raw output 
Unless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
branches:
- master
- release-**

Check warning on line 20 in .github/workflows/ci-tests.yml

View check run for this annotation

probelabs / Visor: performance

performance Issue 

The introduction of the `dep-guard` job as a dependency for other jobs (like `lint`) adds a sequential step to the CI pipeline. This will increase the overall wall-clock time for workflows to complete on pull requests. This change is present in multiple workflow files (e.g., `codeql-analysis.yml`, `lint.yml`, `plugin-compiler-build.yml`).
Raw output 
This is an intentional trade-off for enhanced security. The impact on CI execution time should be monitored. If the `dep-guard` job becomes a significant bottleneck, consider if it can be run in parallel with other setup or non-dependent jobs to minimize its impact on the critical path of the workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
Expand All @@ -27,12 +28,19 @@
BRANCH_NAME: ${{ github.base_ref || github.ref_name }} # base_ref for PRs is 'master', but merges read in ref_name

jobs:
dep-guard:
if: ${{ github.event_name == 'pull_request' }}
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

lint:
needs: [dep-guard]
runs-on: ubuntu-latest
if: ${{ !github.event.pull_request.draft }}
steps:
- name: "Checkout PR"
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
with:
token: ${{ secrets.ORG_GH_TOKEN }}

Expand All @@ -42,15 +50,15 @@
git rev-parse origin/${{ env.BRANCH_NAME }}

- name: Setup Golang
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version-file: go.mod
cache-dependency-path: go.sum

- name: Setup CI Tooling
uses: shrink/actions-docker-extract@v3
uses: shrink/actions-docker-extract@04c17c51a5b9fd93b7aed2e05e86c8fe2d90ee52 # v3
with:
image: tykio/ci-tools:latest
image: tykio/ci-tools@sha256:1796c0938247f42c580c501f7cd04e1144a59a62c6d8ba743572ff40371e1306 # latest
path: /usr/local/bin/.
destination: /usr/local/bin

Expand All @@ -64,7 +72,7 @@
task --exit-code lint:check-git-state MESSAGE="task tidy made git state dirty, please run task lint locally and update PR"

- name: golangci-lint
uses: golangci/golangci-lint-action@v8
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
timeout-minutes: 20
with:
version: v2.5.0
Expand All @@ -75,7 +83,7 @@
skip-cache: false
skip-save-cache: false

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: ${{ always() }}
with:
name: golangcilint
Expand All @@ -102,7 +110,7 @@

steps:
- name: Checkout Tyk
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ github.ref }}

Expand All @@ -114,7 +122,7 @@
# Regardless that the base image provides a python release, we need
# setup-python so it properly configures the python3-venv.
- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -125,14 +133,14 @@
run: pip -V && pip3 -V

- name: Setup CI Tooling
uses: shrink/actions-docker-extract@v3
uses: shrink/actions-docker-extract@04c17c51a5b9fd93b7aed2e05e86c8fe2d90ee52 # v3
with:
image: tykio/ci-tools:latest
image: tykio/ci-tools@sha256:1796c0938247f42c580c501f7cd04e1144a59a62c6d8ba743572ff40371e1306 # latest
path: /usr/local/bin/.
destination: /usr/local/bin

- name: Setup Golang
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version-file: go.mod
cache-dependency-path: go.sum
Expand All @@ -140,12 +148,12 @@
- name: Install Dependencies
id: dependencies
run: |
sudo apt-get install libluajit-5.1-dev

Check warning on line 152 in .github/workflows/ci-tests.yml

View check run for this annotation

probelabs / Visor: quality

security Issue 

The python packages `setuptools` and `google` are installed without a pinned version. This can lead to non-reproducible builds and introduce unexpected issues or vulnerabilities if a new version is released. While `protobuf` is pinned, these are not, which is inconsistent with the security hardening goal of this PR.
Raw output 
Pin the versions for `setuptools` and `google` to ensure reproducible and secure builds. You can find the latest stable versions on PyPI and pin to them, for example: `pip install --no-deps 'setuptools==69.5.1'` and `pip install --no-deps 'google==3.0.0'`.
python -m pip install --upgrade pip
pip install setuptools
pip install google
pip install 'protobuf==4.24.4'
python -m pip install --no-deps --upgrade pip
pip install --no-deps setuptools
pip install --no-deps google
pip install --no-deps 'protobuf==4.24.4'

- name: Bring up test services
run: task services:up
Expand All @@ -160,14 +168,14 @@
task test:e2e-combined args="-race -timeout=15m"
task test:coverage

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: ${{ always() }}
with:
name: coverage
retention-days: 1
path: coverage/gateway-all.cov

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: ${{ always() }}
with:
name: testjson
Expand All @@ -180,23 +188,23 @@
needs: [test, lint]
steps:
- name: "Checkout repository"
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
with:
token: ${{ secrets.ORG_GH_TOKEN }}

- name: Download coverage artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: coverage

- name: Download golangcilint artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: golangcilint

- name: Check reports existence
id: check_files
uses: andstor/file-existence-action@v3
uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
with:
files: 'gateway-all.cov, golangci-lint-report.json'
fail: true
Expand Down Expand Up @@ -230,7 +238,7 @@

- name: Scan
if: always()
uses: sonarsource/sonarqube-scan-action@master
uses: sonarsource/sonarqube-scan-action@3988e54db2467c7e9583a4af619c3f5647d6b8ad # master
with:
args: ${{ steps.sonar_params.outputs.sonar_args }}
env:
Expand Down
23 changes: 18 additions & 5 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@
on:
pull_request:
branches: [master]
types:
- opened
- reopened
- synchronize
- ready_for_review
- labeled

Check warning on line 16 in .github/workflows/codeql-analysis.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the entire CodeQL analysis to re-run every time a label is added or removed from a pull request. This is often unnecessary and can lead to wasted CI resources and longer wait times for developers.
Raw output 
Unless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
schedule:
- cron: '0 18 * * 4'

Expand All @@ -16,7 +22,14 @@
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
dep-guard:
if: ${{ github.event_name == 'pull_request' }}
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

analyze:
needs: [dep-guard]
name: Analyze
if: ${{ !github.event.pull_request.draft }}
runs-on: ubuntu-latest
Expand All @@ -32,7 +45,7 @@

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
Expand All @@ -44,13 +57,13 @@
if: ${{ github.event_name == 'pull_request' }}

- name: Install Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version-file: go.mod

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -61,7 +74,7 @@
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -75,4 +88,4 @@
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
2 changes: 1 addition & 1 deletion .github/workflows/force-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:

jobs:
call_force_merge:
uses: TykTechnologies/github-actions/.github/workflows/force-merge.yaml@main
uses: TykTechnologies/github-actions/.github/workflows/force-merge.yaml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
secrets:
ADMIN_PAT: ${{ secrets.ORG_GH_TOKEN }}
SLACK_WEBHOOK_URL: ${{ secrets.FORCE_MERGE_SLACK_WEBHOOK }}
9 changes: 8 additions & 1 deletion .github/workflows/intelligent-branch-recomendations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,14 @@ permissions:
contents: read

jobs:
dep-guard:
if: ${{ github.event_name == 'pull_request' }}
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

branch-suggestions:
uses: TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml@main
needs: [dep-guard]
uses: TykTechnologies/github-actions/.github/workflows/branch-suggestion.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
secrets:
JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}
9 changes: 8 additions & 1 deletion .github/workflows/jira-pr-validator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,19 @@ concurrency:
cancel-in-progress: true

jobs:
dep-guard:
if: ${{ github.event_name == 'pull_request' }}
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

validate:
needs: [dep-guard]
if: ${{ !github.event.pull_request.draft }}
runs-on: ubuntu-latest
steps:
- name: Validate Jira ticket
uses: TykTechnologies/jira-linter@main
uses: TykTechnologies/jira-linter@38a9cabef56171c4e52ea698fa7be3db5fca3a49 # main
with:
jira-base-url: 'https://tyktech.atlassian.net'
jira-user-email: ${{ secrets.JIRA_USER_EMAIL }}
Expand Down
27 changes: 20 additions & 7 deletions .github/workflows/lint-swagger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@

on:
pull_request:
types:
- opened
- reopened
- synchronize
- ready_for_review
- labeled

Check warning on line 12 in .github/workflows/lint-swagger.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the swagger linting and diffing to re-run every time a label is added or removed from a pull request. While less expensive than a full test run, it is still often unnecessary and can lead to wasted CI resources.
Raw output 
Unless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
paths:
- 'swagger.yml'

Expand All @@ -12,21 +18,28 @@
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
dep-guard:
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

redocly_validator:
needs: [dep-guard]
runs-on: ubuntu-latest
name: Validate the swagger with redocly cli

steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20
- name: Validate OpenAPI definition with redocly
run: |
npm install @redocly/cli -g
npm install --ignore-scripts @redocly/cli@1.34.3 -g
redocly lint swagger.yml --config=redocly.yml

diff_swagger:
needs: [dep-guard]
name: Diff swagger yaml for comment
runs-on: ubuntu-latest

Expand All @@ -38,12 +51,12 @@
git config --global url."https://${TOKEN}@github.com".insteadOf "https://github.com"

- name: Checkout repo
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@main
uses: TykTechnologies/github-actions/.github/actions/checkout-pr@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
with:
token: ${{ secrets.ORG_GH_TOKEN }}

- name: Setup Golang
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: stable

Expand Down Expand Up @@ -87,15 +100,15 @@
echo "EOF" >> $GITHUB_OUTPUT

- name: Find Comment
uses: peter-evans/find-comment@v2
uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: Swagger Changes

- name: Create or update comment
uses: peter-evans/create-or-update-comment@v3
uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,16 @@ concurrency:
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
dep-guard:
if: ${{ github.event_name == 'pull_request' }}
uses: TykTechnologies/github-actions/.github/workflows/dependency-guard.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
permissions:
contents: read

godoc:
needs: [dep-guard]
if: ${{ !github.event.pull_request.draft }}
uses: TykTechnologies/github-actions/.github/workflows/godoc.yml@main
uses: TykTechnologies/github-actions/.github/workflows/godoc.yml@2b35ab5dd4cfff21ced9d12446e9e27d10bf5785 # main
secrets:
ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
with:
Expand Down
Loading
Loading