fix(ci): 🛡️ mitigate CVE-2025-8869 by enforcing wheels-only pip installs and upgrading pinned dependencies (#4598)

# Description of Changes

This PR mitigates **CVE-2025-8869** (GHSA-4xh5-x5gv-qwph), a
high-severity vulnerability in `pip` ≤ 25.2 that allows arbitrary file
overwrite via unsafe tar extraction in sdist fallback handling.

**What was changed:**
- Added environment variables to all GitHub Actions (`pre_commit.yml`,
`sync_files.yml`) to **enforce binary-only installs**:
  - `PIP_ONLY_BINARY=":all:"`
  - `PIP_DISABLE_PIP_VERSION_CHECK="1"`
- Updated multiple `.github/scripts/*.txt` requirements to use Python
3.12 as the generation base.
- Upgraded pinned dependencies to latest secure versions:
- `filelock 3.19.1`, `identify 2.6.15`, `platformdirs 4.4.0`, `pyyaml
6.0.3`, `behave 1.3.3`, `pypdf 6.1.1`, `reportlab 4.4.4`, `requests
2.32.5`
- Adjusted file path formatting (`\` → `/`) for consistent
cross-platform compatibility.

**Why the change was made:**
To prevent exploitation of the tar extraction vulnerability in
vulnerable pip versions when installing from source distributions during
CI runs.

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

.github/workflows/pre_commit.yml

@@ -12,6 +12,10 @@ permissions:
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    env:
+      # Prevents sdist builds → no tar extraction
+      PIP_ONLY_BINARY: ":all:"
+      PIP_DISABLE_PIP_VERSION_CHECK: "1"
     permissions:
       contents: write
       pull-requests: write
@@ -42,7 +46,7 @@ jobs:
 
       - name: Run Pre-Commit Hooks
         run: |
-          pip install --require-hashes -r ./.github/scripts/requirements_pre_commit.txt
+          pip install --require-hashes --only-binary=:all: -r ./.github/scripts/requirements_pre_commit.txt
 
       - run: pre-commit run --all-files -c .pre-commit-config.yaml
         continue-on-error: true

.github/workflows/sync_files.yml

@@ -30,6 +30,10 @@ permissions:
 jobs:
   sync-files:
     runs-on: ubuntu-latest
+    env:
+      # Prevents sdist builds → no tar extraction
+      PIP_ONLY_BINARY: ":all:"
+      PIP_DISABLE_PIP_VERSION_CHECK: "1"
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -61,7 +65,9 @@ jobs:
           git diff --staged --quiet || git commit -m ":memo: Sync translation files" || echo "No changes detected"
 
       - name: Install dependencies
-        run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt
+        # Wheels-only + Hash-Pinning
+        run: |
+          pip install --require-hashes --only-binary=:all: -r ./.github/scripts/requirements_sync_readme.txt
 
       - name: Sync README.md
         run: |