Skip to content

[TT-16950] fix: sync security hardening from release-5.12 (#7956)#8070

Merged
buger merged 1 commit intorelease-5.12.1from
sync/5.12.1-security-hardening
Apr 17, 2026
Merged

[TT-16950] fix: sync security hardening from release-5.12 (#7956)#8070
buger merged 1 commit intorelease-5.12.1from
sync/5.12.1-security-hardening

Conversation

@buger
Copy link
Copy Markdown
Member

@buger buger commented Apr 17, 2026

Summary

Sync security hardening commit #7956 from release-5.12 to release-5.12.1.

Changes include:

  • Pinned GitHub Actions to commit SHAs across workflow files
  • Added dep guard workflow
  • Fixed installs in Taskfiles

Conflict resolution: release.yml had 47 conflict blocks because release-5.12.1 already had actions pinned independently (with slightly different SHAs). Resolved by keeping the release-5.12.1 versions since they were already pinned. All other workflow and Taskfile changes applied cleanly.

Test plan

  • CI passes

🤖 Generated with Claude Code

@buger @claude
fix: sync security hardening from release-5.12 (#7956)
c07c32a 
Cherry-pick security hardening commit that was on release-5.12 but
missing from release-5.12.1. Pins GitHub Actions, adds dep guard,
fixes installs.

release.yml conflicts resolved by keeping HEAD (release-5.12.1
already had pinned actions applied independently).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@buger buger requested a review from a team as a code owner April 17, 2026 06:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

🚨 Jira Linter Failed

Commit: c07c32a
Failed at: 2026-04-17 06:22:35 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details 
failed to validate branch and PR title rules: branch name 'sync/5.12.1-security-hardening' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

  • Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
  • Verify your PR title matches the branch's Jira ticket ID
  • Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

This PR syncs security hardening changes from the release-5.12 branch. The primary changes involve pinning GitHub Actions and Go dependencies to specific commit SHAs to improve supply chain security and ensure reproducible builds. A new dep-guard workflow has been added as a security gate for all pull requests.

Files Changed Analysis

The changes are concentrated in GitHub Actions workflows (.github/workflows/) and Taskfile.yml files. All 14 modified workflow files now use commit SHAs for their uses: clauses instead of branches or tags. A new dep-guard job has been added to most PR-triggered workflows, making it a prerequisite for other jobs like lint and test. The 11 modified Taskfile.yml files and the ci-tests.yml workflow also pin Go and Python dependencies to specific versions or commit hashes.

Architecture & Impact Assessment

  • What this PR accomplishes: This PR hardens the CI/CD pipeline against supply chain attacks and improves build reproducibility by ensuring that the exact same versions of actions and tools are used in every run.
  • Key technical changes introduced:
    • Dependency Pinning: All GitHub Actions are now pinned to full-length commit SHAs (e.g., actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 instead of actions/checkout@v4). This mitigates the risk of a compromised tag or branch introducing malicious code. Similarly, Go tools installed via go install in Taskfiles are also pinned to SHAs.
    • New Security Gate: A reusable workflow, dependency-guard.yml, is introduced as a dep-guard job. This job now runs at the beginning of most CI workflows, acting as a mandatory check before linting, testing, or building.
    • Stricter Python Installs: The pip install commands in the ci-tests.yml workflow now use the --no-deps flag to prevent the installation of potentially untrusted transitive dependencies.
  • Affected system components: The changes primarily affect the project's CI/CD and development environment infrastructure. There are no changes to the application's runtime code. The main impact is on the security and reliability of the build and test processes.

CI Workflow Enhancement

graph TD
    subgraph "CI Workflow (e.g., ci-tests.yml)"
        A[PR Trigger] --> B(dep-guard);
        B --> C(lint);
        B --> D(test);
        C --> E(sonar-scan);
        D --> E;
    end
Loading

Scope Discovery & Context Expansion

  • The changes indicate a repository-wide security initiative to harden the development lifecycle. By modifying all workflow files, the PR enforces a consistent security posture across all automated checks.
  • The use of a centralized, reusable workflow (TykTechnologies/github-actions/.github/workflows/dependency-guard.yml) suggests a strategy to manage security policies across multiple repositories within the TykTechnologies organization, rather than implementing checks on a per-repository basis.
  • The pinning of dependencies in Taskfile.yml files extends this security and reproducibility practice to the local developer environment, ensuring that developers use the same tool versions as the CI pipeline. This helps prevent "works on my machine" issues.
Metadata
  • Review Effort: 2 / 5
  • Primary Label: chore

Powered by Visor from Probelabs

Last updated: 2026-04-17T06:24:18.247Z | Triggered by: pr_opened | Commit: c07c32a

💡 TIP: You can chat with Visor using /visor ask <your question>

@buger buger merged commit dbe0df3 into release-5.12.1 Apr 17, 2026
18 of 19 checks passed
@buger buger deleted the sync/5.12.1-security-hardening branch April 17, 2026 06:23
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

API Changes

no api changes detected

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

Architecture Issues (4)

Severity Location Issue
🟡 Warning .github/workflows/ci-tests.yml:12-16
The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the entire workflow, including the full test suite, to re-run every time a label is added or removed. This is often unnecessary and can lead to wasted CI resources and increased wait times for developers.
💡 SuggestionUnless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
🟡 Warning .github/workflows/codeql-analysis.yml:11-16
The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the entire CodeQL analysis to re-run every time a label is added or removed from a pull request. This is often unnecessary and can lead to wasted CI resources and longer wait times for developers.
💡 SuggestionUnless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
🟡 Warning .github/workflows/lint-swagger.yml:7-12
The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the swagger linting and diffing to re-run every time a label is added or removed from a pull request. While less expensive than a full test run, it is still often unnecessary and can lead to wasted CI resources.
💡 SuggestionUnless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).
🟡 Warning .github/workflows/plugin-compiler-build.yml:5-10
The workflow is configured to trigger on the `labeled` event for pull requests. This will cause the plugin compiler docker images to be rebuilt every time a label is added or removed from a pull request. This is often unnecessary and can lead to wasted CI resources and longer wait times for developers.
💡 SuggestionUnless there is a specific reason to run this workflow on label changes, consider removing `labeled` from the list of pull request types. CI workflows should typically run on code changes (e.g., `synchronize`, `opened`, `reopened`).

Performance Issues (1)

Severity Location Issue
🟡 Warning .github/workflows/ci-tests.yml:20
The introduction of the `dep-guard` job as a dependency for other jobs (like `lint`) adds a sequential step to the CI pipeline. This will increase the overall wall-clock time for workflows to complete on pull requests. This change is present in multiple workflow files (e.g., `codeql-analysis.yml`, `lint.yml`, `plugin-compiler-build.yml`).
💡 SuggestionThis is an intentional trade-off for enhanced security. The impact on CI execution time should be monitored. If the `dep-guard` job becomes a significant bottleneck, consider if it can be run in parallel with other setup or non-dependent jobs to minimize its impact on the critical path of the workflow.

Powered by Visor from Probelabs

Last updated: 2026-04-17T06:23:53.595Z | Triggered by: pr_opened | Commit: c07c32a

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs probelabs Bot changed the title fix: sync security hardening from release-5.12 (#7956) [TT-16950] fix: sync security hardening from release-5.12 (#7956) Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@buger