fix(workflow-templates): pin action SHAs and fix security violations

[borislavr]

Summary

Audited all 11 workflow-templates/*.yml files for security violations using the zizmor
ruleset. Fixed 8 violations across 5 files: unpinned action references (mutable tags
replaced with immutable SHA pins), a template-injection vulnerability, a malformed/impostor
SHA, an overly broad workflow-level permission, and a missing top-level permissions: block.

Issue

No linked issue — self-contained security hardening pass over the workflow templates catalog.

Breaking Change?

• Yes
• No

Scope / Project

workflow-templates

Implementation Notes

• auto-assign-project-to-issue.yml — github.event.issue.title was interpolated
  directly inside a run: block (template-injection). Moved to an env: variable
  (ISSUE_TITLE) so shell cannot interpret attacker-controlled content as code.
• dev-docker-build-selective.yml — actions/checkout@v5 and
  tj-actions/changed-files@v47 were mutable tag refs; pinned to commit SHAs.
  Also removed packages: write from the workflow-level permissions: block — it was
  already correctly scoped to the build job, making the workflow-level grant redundant
  and overly broad.
• dev-mvn-docker-build.yml — metadata-action reference had a malformed SHA
  (m5a557213… — leading m is not valid hex, making this an impostor-commit risk).
  Replaced with the correct e64a1ee2… SHA (v2.2.1), consistent with all other files
  in this repo that reference the same action.
• license-header.yml — apache/skywalking-eyes/header@v0.8.0 and
  peter-evans/create-pull-request@v8.1.1 were mutable tag refs; pinned to their
  respective commit SHAs via the GitHub API.
• scout-cves.yml — docker/login-action@v4 and docker/scout-action@v1 were
  mutable tag refs; pinned to commit SHAs. Added missing top-level
  permissions: contents: read (workflow had no top-level permissions block at all).
• The 6 remaining templates (dev-docker-build-multiple-images.yml,
  dev-docker-build-single-image.yml, pr-assigner.yml, security-scan-apihub.yml,
  security-scan-with-config.yml, security-scan.yml) were audited and found clean.

Tests / Evidence

All SHA pins verified against the GitHub API at time of fix:

• actions/checkout v5 → 93cb6efe18208431cddfb8368fd83d5badbf9bfd
• tj-actions/changed-files v47 → 24d32ffd492484c1d75e0c0b894501ddb9d30d62
• apache/skywalking-eyes/header v0.8.0 → 61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 (dereferenced annotated tag)
• peter-evans/create-pull-request v8.1.1 → 5f6978faf089d4d20b00c7766989d076bb2fc7f1
• docker/login-action v4 → 4907a6ddec9925e35a0a9e82d7399ccc52663121
• docker/scout-action v1 → bacf462e8d090c09660de30a6ccc718035f961e3 (dereferenced annotated tag)

Additional Notes

dev-docker-build-selective.yml line 71 retains persist-credentials: true — this was
pre-existing and intentional for the tj-actions/changed-files step that needs git
history access. It was not changed as part of this audit since removing it would break
the changeset detection logic.