elastic · Mpdreamz · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -34,7 +34,7 @@ runs:
 
     - id: dotnet
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env]
         dotnet tool restore
         REPO_VERSION=$(dotnet minver -t=v -p=canary.0 -v=e -m=0.1)
         echo "Version Number: ${REPO_VERSION}"

@@ -9,6 +9,8 @@ updates:
       time: '08:00'
     labels:
       - chore
+    cooldown:
+      default-days: 14
   - package-ecosystem: npm
     directories:
       - '**/*'
@@ -47,3 +49,5 @@ updates:
           - 'System.IO.Abstractions.*'
     labels:
       - chore
+    cooldown:
+      default-days: 14
@@ -118,7 +118,7 @@ jobs:
         if: always() && steps.deployment.outputs.result
         uses: actions/github-script@v9
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection] deployment_id from prior step output
             await github.rest.repos.createDeploymentStatus({
               owner: context.repo.owner,
               repo: context.repo.repo,

@@ -12,15 +12,20 @@ on:
         type: string
         default: ${{ github.ref }}
 
+permissions: {}
+
 jobs: 
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       BINARY_PATH: .artifacts/docs-lambda-index-publisher/release_linux-x64/bootstrap
     steps:
       - uses: actions/checkout@v6
         with: 
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       - name: Amazon Linux 2023 build
         run: |
           docker build . -t publish-links-index:latest -f src/infra/docs-lambda-index-publisher/lambda.DockerFile

@@ -21,6 +21,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -41,6 +43,8 @@ jobs:
       MSBuildNoWarn: IDE0032
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -74,6 +78,8 @@ jobs:
         working-directory: src/Elastic.Documentation.Site
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v6
         with:
@@ -122,6 +128,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -141,6 +149,8 @@ jobs:
          - windows-latest
     steps:          
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: 'Windows only, set TEMP to the same drive'
         if: ${{ matrix.os == 'windows-latest' }}
         #  temporary waiting for https://github.com/parcel-bundler/parcel/pull/10095 to fix
@@ -192,6 +202,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -201,7 +213,7 @@ jobs:
         run: dotnet workload install aspire
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with:
           role-to-assume: arn:aws:iam::197730964718:role/elastic-docs-v3-integration-tests
           aws-region: us-east-1

@@ -22,7 +22,7 @@ jobs:
         #  - https://github.com/tj-actions/changed-files?tab=readme-ov-file#using-githubs-api-octocat
       - name: Get changed files
         id: check-files
-        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45.0.6
+        uses: tj-actions/changed-files@a284dc1814e3fd07f2e34267fc8f81227ed29fb8 # v45.0.6
         with:
           files: |
             **/*.asciidoc

@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: true
       - name: Get major version
         run: |
           MAJOR_VERSION=$(echo "${GITHUB_REF#refs/tags/}" | awk -F. '{print $1}')

@@ -50,7 +50,7 @@ jobs:
       - name: Match for PR events debug
         if: github.event_name == 'pull_request'
         run: |
-          echo "ref=${{ github.base_ref }}"
+          echo "ref=${GITHUB_BASE_REF}"
           echo "repo=${{ github.repository }}"
 
       - name: Match for push events
@@ -63,11 +63,11 @@ jobs:
       - name: Match for push events debug
         if: github.event_name == 'push'
         run: |
-          echo "ref=${{ github.ref_name }}"
+          echo "ref=${GITHUB_REF_NAME}"
           echo "repo=${{ github.repository }}"
 
       - name: Debug outputs
-        run: |
+        run: | # zizmor: ignore[template-injection] debug echoes of trusted step outputs
           echo "content-source-match: ${{ format('{0}{1}', steps.pr-check.outputs.content-source-match, steps.push-check.outputs.content-source-match) }}"
           echo "content-source-next: ${{ format('{0}{1}', steps.pr-check.outputs.content-source-next, steps.push-check.outputs.content-source-next) }}"
           echo "content-source-current: ${{ format('{0}{1}', steps.pr-check.outputs.content-source-current, steps.push-check.outputs.content-source-current) }}"
@@ -96,6 +96,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          persist-credentials: false
 
       - name: Get changed files
         if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
@@ -110,7 +111,7 @@ jobs:
       - name: Get modified file detail
         if: github.event_name == 'pull_request'
         id: check-modified-file-detail
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
         env:
           IGNORE_PATTERNS: |
             .github/**
@@ -373,7 +374,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           LANDING_PAGE_PATH: ${{ env.PATH_PREFIX }}
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection] deployment_id from prior step output
             await github.rest.repos.createDeploymentStatus({
               owner: context.repo.owner,
               repo: context.repo.repo,

@@ -12,7 +12,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Check license headers
         run: |
-          ./.github/check-license-headers.sh
+          ./.github/check-license-headers.sh
@@ -5,14 +5,13 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
-  packages: write
+permissions: {}
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pages: write
       id-token: write
     outputs:
@@ -29,6 +28,8 @@ jobs:
       - id: repo-basename
         run: 'echo "value=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT'
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v6.0.0
@@ -47,19 +48,24 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       full-version: ${{ steps.bootstrap.outputs.full-version }}
       major-version: ${{ steps.bootstrap.outputs.major-version }}
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
         uses: ./.github/actions/bootstrap
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

@@ -3,10 +3,8 @@ name: Release
 on:
   workflow_dispatch: 
 
-permissions:
-  contents: read
-  packages: write
-
+permissions: {}
+
 concurrency:
   group: release-drafter
 
@@ -22,7 +20,7 @@ jobs:
     steps:
       - name: Verify branch
         run: |
-          if [[ "${{ github.ref }}" != refs/heads/main ]]; then
+          if [[ "${GITHUB_REF}" != refs/heads/main ]]; then
             echo "This workflow is only allowed to run on the main branch."
             exit 1
           fi
@@ -35,7 +33,7 @@ jobs:
       - name: Create tag
         uses: actions/github-script@v9
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection] tag_name from release-drafter on main
             github.rest.git.createRef({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -47,6 +45,9 @@ jobs:
     needs: 
       - release-drafter
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       full-version: ${{ steps.bootstrap.outputs.full-version }}
       major-version: ${{ steps.bootstrap.outputs.major-version }}
@@ -55,12 +56,13 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ needs.release-drafter.outputs.tag_name }}
+          persist-credentials: false
       - name: Bootstrap Action Workspace
         id: bootstrap
         uses: ./.github/actions/bootstrap
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -185,6 +187,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ needs.release-drafter.outputs.tag_name }}
+          persist-credentials: false
       - name: 'Windows only, set TEMP to the same drive'
         if: ${{ matrix.os == 'windows-latest' }}
         #  temporary waiting for https://github.com/parcel-bundler/parcel/pull/10095 to fix

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Wait for PR to be ready (if just opened)
         if: github.event_name == 'pull_request_target' && github.event.action == 'opened'
         run: sleep 30

@@ -27,21 +27,26 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Bootstrap Action Workspace
         uses: ./.github/actions/bootstrap
 
       - uses: actions/checkout@v6
         with:
           repository: ${{ matrix.repository }}
           path: test-repo
+          persist-credentials: false
 
       - name: Build documentation
         id: docs-build
         run: |
           dotnet run --project src/tooling/docs-builder -- --strict --path-prefix "/docs" -p test-repo
 
       - name: Verify landing-page-path output
-        run: test ${{ steps.docs-build.outputs.landing-page-path }} == ${{ matrix.landing-page-path-output }}
+        run: test "${STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH}" = "${{ matrix.landing-page-path-output }}"
+        env:
+          STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH: ${{ steps.docs-build.outputs.landing-page-path }}
 
       - name: Verify link validation
         run: |

@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Get token
         id: get_token

@@ -0,0 +1,28 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          advanced-security: false
+          annotations: true
+          config: .github/zizmor.yml