security: hardening batch (pin actions, sanitize PR inputs, verify pushers, escape comments)

.github/aw/actions-lock.json

@@ -10,6 +10,11 @@
       "version": "v5.0.5",
       "sha": "27d5ce7f107fe9357f9df03efb73ab90386fccae"
     },
+    "actions/checkout@v6": {
+      "repo": "actions/checkout",
+      "version": "v6",
+      "sha": "df4cb1c069e1874edd31b4311f1884172cec0e10"
+    },
     "actions/checkout@v6.0.2": {
       "repo": "actions/checkout",
       "version": "v6.0.2",

.github/workflows/changelog-submit.yml

@@ -33,38 +33,6 @@ jobs:
       should-submit: ${{ steps.evaluate.outputs.should-submit }}
       is-org-member: ${{ steps.check-org-membership.outputs.is-member }}
     steps:
-      - name: Resolve PR author
-        id: pr-author
-        if: github.event.workflow_run.head_repository.full_name != github.repository
-        uses: actions/github-script@v9
-        with:
-          # language=js
-          script: |
-            const run = context.payload.workflow_run;
-            const { owner, repo } = context.repo;
-
-            let prNumber;
-            if (run.pull_requests?.length > 0) {
-              prNumber = run.pull_requests[0].number;
-            } else {
-              const headLabel = `${run.head_repository.owner.login}:${run.head_branch}`;
-              const { data: prs } = await github.rest.pulls.list({
-                owner, repo, state: 'open', head: headLabel
-              });
-              const match = prs.find(pr => pr.head.sha === run.head_sha);
-              if (match) prNumber = match.number;
-            }
-
-            if (!prNumber) {
-              core.setFailed('Could not resolve PR number for fork — cannot verify org membership. Failing closed.');
-              return;
-            }
-
-            const { data: pr } = await github.rest.pulls.get({
-              owner, repo, pull_number: prNumber
-            });
-            core.setOutput('login', pr.user.login);
-
       - name: Fetch ephemeral GitHub token
         if: github.event.workflow_run.head_repository.full_name != github.repository
         id: fetch-ephemeral-token
@@ -78,7 +46,6 @@ jobs:
         if: github.event.workflow_run.head_repository.full_name != github.repository
         uses: elastic/docs-actions/github/is-elastic-org-member@v1
         with:
-          username: ${{ steps.pr-author.outputs.login }}
           token: ${{ steps.fetch-ephemeral-token.outputs.token }}
 
       - name: Evaluate

.github/workflows/docs-deploy.yml

@@ -176,6 +176,7 @@ jobs:
             core.setOutput('base-ref', pr.base.ref);
             core.setOutput('pr-author', pr.user.login);
 
+
             // --- Changed-files check (docs-relevant files only) ---
             const files = await github.paginate(github.rest.pulls.listFiles, {
               owner, repo, pull_number: prNumber
@@ -259,7 +260,6 @@ jobs:
         if: steps.context.outputs.is-fork == 'true' && steps.context.outputs.event == 'pull_request'
         uses: elastic/docs-actions/github/is-elastic-org-member@v1
         with:
-          username: ${{ steps.context.outputs.pr-author }}
           token: ${{ steps.fetch-ephemeral-token.outputs.token }}
 
       - name: Evaluate
@@ -375,6 +375,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      packages: read
     outputs:
       build_outcome: ${{ steps.docs-build.outcome == 'success' && 'success' || '' }}
       skip: ${{ steps.docs-build.outputs.skip }}
@@ -437,11 +438,30 @@ jobs:
           echo "PATH_PREFIX=${path_prefix}" >> "$GITHUB_ENV"
           echo "result=${path_prefix}" >> "$GITHUB_OUTPUT"
 
+      # Resolve the mutable :edge tag to an immutable RepoDigest before
+      # running the container.
+      - name: Pull and pin docs-builder image
+        id: docker-image
+        # language=bash
+        run: |
+          IMAGE="ghcr.io/elastic/docs-builder:edge"
+          docker pull "$IMAGE"
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$IMAGE")
+          if [ -z "$DIGEST" ]; then
+            echo "::error::Failed to resolve RepoDigest for ${IMAGE}"
+            exit 1
+          fi
+          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
+          echo "::notice title=docs-builder image digest::${DIGEST}"
+
       # Run docs-builder in Docker isolation. Only explicitly listed env vars are
       # passed to the container — ACTIONS_RUNTIME_TOKEN, ACTIONS_CACHE_URL, and
       # OIDC env vars are excluded to prevent cache poisoning and credential
       # theft if the build tool is compromised via malicious content.
       #
+      # The image is referenced by digest (resolved above) so the run is
+      # immutable for this workflow execution.
+      #
       # Future: add --network none once docs-builder has an init command to
       # preload the link index before the build.
       - name: Build documentation
@@ -465,7 +485,7 @@ jobs:
             -e GITHUB_REF="refs/heads/${HEAD_BRANCH}" \
             -e INPUT_PREFIX="${PATH_PREFIX}" \
             -e INPUT_STRICT="${STRICT_FLAG}" \
-            ghcr.io/elastic/docs-builder:edge || EXIT_CODE=$?
+            "${IMAGE_DIGEST}" || EXIT_CODE=$?
 
           if [ -s "$CONTAINER_OUTPUT" ]; then
             cat "$CONTAINER_OUTPUT" >> "$GITHUB_OUTPUT"
@@ -474,6 +494,7 @@ jobs:
           exit $EXIT_CODE
         env:
           STRICT_FLAG: ${{ fromJSON(inputs.strict != '' && inputs.strict || 'true') }}
+          IMAGE_DIGEST: ${{ steps.docker-image.outputs.digest }}
 
       - name: Upload links artifact
         id: upload-links