security: harden CI workflows with SHA-pinned actions and dep-guard

[buger]

Summary

• Pin all uses: to SHA-256: Every GitHub Action reference across all 4 workflows (ci-tests.yml, cla.yml, jira-pr-validator.yaml, visor.yaml) is now pinned to a full 40-character commit SHA instead of mutable tags/branches.
• Add dependency guard: Added dep-guard job using TykTechnologies/github-actions/.github/workflows/dependency-guard.yml reusable workflow with contents: read permissions. All build jobs (golangci-lint, test, sonar-cloud-analysis) have needs: [dep-guard] to gate on dependency guard passing.
• Add labeled trigger: All pull_request event types now include labeled to support label-driven workflows.
• Pin go install to commit SHA: gocovmerge@latest changed to gocovmerge@b5bfa59ec0adc420475f97f89b58045c721d761c.
• Docker image TODO: Added # TODO: pin to digest once available comment for tykio/ci-tools:latest (digest not resolvable from CI).

Actions pinned

Action	SHA	Tag
actions/checkout	34e114876b0b11c390a56381ad16ebd13914f8d5	v4
actions/upload-artifact	ea165f8d65b6e75b540449e92b4886f43607fa02	v4
actions/download-artifact	d3f86a106a0bac45b974a628896c90dbdf5c8093	v4
actions/setup-go	be3c94b385c4f180051c996d336f57a34c397495	v3
actions/setup-go	40f1582b2485089dde7abd97c1529aa768e1baff	v5
golangci/golangci-lint-action	4afd733a84b1f43292c63897423277bb7f4313a9	v8
arduino/setup-task	e26d8975574116b0097a1161e0fe16ba75d84c1c	v1
andstor/file-existence-action	f02338908d150e00a4b8bebc2dad18bd9e5229b0	v1
shrink/actions-docker-extract	921bf17c6693530407a79458546c735d712a3216	v3
sonarsource/sonarcloud-github-action	ba3875ecf642b2129de2b589510c81a8b53dbf4e	master
contributor-assistant/github-action	b2a7f9fb90217ea0b8a0c95c288221457be4a31f	v2.2.0
TykTechnologies/github-actions	d3fa20888fa2878e877e22bb7702141217290e7c	main
TykTechnologies/jira-linter	38a9cabef56171c4e52ea698fa7be3db5fca3a49	main
probelabs/visor	02e893ad11b66319b0fca1a43622038171c1a159	main

Test plan

• Verify dep-guard job runs and passes on PR
• Verify golangci-lint job waits for dep-guard before running
• Verify test job waits for both dep-guard and golangci-lint
• Verify sonar-cloud-analysis waits for dep-guard, test, and golangci-lint
• Verify all SHA-pinned actions resolve correctly
• Verify labeled event type triggers workflows on label addition

🤖 Generated with Claude Code

[github-actions]

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request}

[github-actions]

🚨 Jira Linter Failed

Commit: fcee935
Failed at: 2026-04-14 20:16:22 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'security/harden-master' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[probelabs]

\n\n \n\n \n\n

---

Powered by Visor from Probelabs

Last updated: 2026-04-14T20:16:31.492Z | Triggered by: pr_opened | Commit: fcee935

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

---

Powered by Visor from Probelabs

Last updated: 2026-04-14T20:16:32.459Z | Triggered by: pr_opened | Commit: fcee935

💡 TIP: You can chat with Visor using /visor ask <your question>