elastic · Mpdreamz · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
@@ -34,7 +34,7 @@ runs:
 
     - id: dotnet
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env]
         dotnet tool restore
         REPO_VERSION=$(dotnet minver -t=v -p=canary.0 -v=e -m=0.1)
         echo "Version Number: ${REPO_VERSION}"

@@ -9,6 +9,8 @@ updates:
       time: '08:00'
     labels:
       - chore
+    cooldown:
+      default-days: 7
   - package-ecosystem: npm
     directories:
       - '**/*'
@@ -47,3 +49,5 @@ updates:
           - 'System.IO.Abstractions.*'
     labels:
       - chore
+    cooldown:
+      default-days: 7
@@ -12,15 +12,20 @@ on:
         type: string
         default: ${{ github.ref }}
 
+permissions: {}
+
 jobs: 
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       BINARY_PATH: .artifacts/docs-lambda-index-publisher/release_linux-x64/bootstrap
     steps:
       - uses: actions/checkout@v6
         with: 
           ref: ${{ inputs.ref }}
+          persist-credentials: false
       - name: Amazon Linux 2023 build
         run: |
           docker build . -t publish-links-index:latest -f src/infra/docs-lambda-index-publisher/lambda.DockerFile

@@ -21,6 +21,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -41,6 +43,8 @@ jobs:
       MSBuildNoWarn: IDE0032
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -74,6 +78,8 @@ jobs:
         working-directory: src/Elastic.Documentation.Site
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v6
         with:
@@ -122,6 +128,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -141,6 +149,8 @@ jobs:
          - windows-latest
     steps:          
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: 'Windows only, set TEMP to the same drive'
         if: ${{ matrix.os == 'windows-latest' }}
         #  temporary waiting for https://github.com/parcel-bundler/parcel/pull/10095 to fix
@@ -192,6 +202,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
@@ -201,7 +213,7 @@ jobs:
         run: dotnet workload install aspire
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with:
           role-to-assume: arn:aws:iam::197730964718:role/elastic-docs-v3-integration-tests
           aws-region: us-east-1

@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Get major version
         run: |
           MAJOR_VERSION=$(echo "${GITHUB_REF#refs/tags/}" | awk -F. '{print $1}')

@@ -50,7 +50,7 @@ jobs:
       - name: Match for PR events debug
         if: github.event_name == 'pull_request'
         run: |
-          echo "ref=${{ github.base_ref }}"
+          echo "ref=${GITHUB_BASE_REF}"
           echo "repo=${{ github.repository }}"
 
       - name: Match for push events
@@ -63,7 +63,7 @@ jobs:
       - name: Match for push events debug
         if: github.event_name == 'push'
         run: |
-          echo "ref=${{ github.ref_name }}"
+          echo "ref=${GITHUB_REF_NAME}"
           echo "repo=${{ github.repository }}"
 
       - name: Debug outputs
@@ -96,6 +96,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          persist-credentials: false
 
       - name: Get changed files
         if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
@@ -110,7 +111,7 @@ jobs:
       - name: Get modified file detail
         if: github.event_name == 'pull_request'
         id: check-modified-file-detail
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@v8
         env:
           IGNORE_PATTERNS: |
             .github/**

@@ -12,7 +12,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Check license headers
         run: |
-          ./.github/check-license-headers.sh
+          ./.github/check-license-headers.sh
@@ -5,14 +5,13 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
-  packages: write
+permissions: {}
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pages: write
       id-token: write
     outputs:
@@ -29,6 +28,8 @@ jobs:
       - id: repo-basename
         run: 'echo "value=`basename ${{ github.repository }}`" >> $GITHUB_OUTPUT'
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v6.0.0
@@ -47,19 +48,24 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       full-version: ${{ steps.bootstrap.outputs.full-version }}
       major-version: ${{ steps.bootstrap.outputs.major-version }}
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Bootstrap Action Workspace
         id: bootstrap
         uses: ./.github/actions/bootstrap
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

@@ -3,10 +3,8 @@ name: Release
 on:
   workflow_dispatch: 
 
-permissions:
-  contents: read
-  packages: write
-
+permissions: {}
+
 concurrency:
   group: release-drafter
 
@@ -22,7 +20,7 @@ jobs:
     steps:
       - name: Verify branch
         run: |
-          if [[ "${{ github.ref }}" != refs/heads/main ]]; then
+          if [[ "${GITHUB_REF}" != refs/heads/main ]]; then
             echo "This workflow is only allowed to run on the main branch."
             exit 1
           fi
@@ -47,6 +45,9 @@ jobs:
     needs: 
       - release-drafter
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       full-version: ${{ steps.bootstrap.outputs.full-version }}
       major-version: ${{ steps.bootstrap.outputs.major-version }}
@@ -55,12 +56,13 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ needs.release-drafter.outputs.tag_name }}
+          persist-credentials: false
       - name: Bootstrap Action Workspace
         id: bootstrap
         uses: ./.github/actions/bootstrap
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -185,6 +187,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ needs.release-drafter.outputs.tag_name }}
+          persist-credentials: false
       - name: 'Windows only, set TEMP to the same drive'
         if: ${{ matrix.os == 'windows-latest' }}
         #  temporary waiting for https://github.com/parcel-bundler/parcel/pull/10095 to fix

@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Wait for PR to be ready (if just opened)
         if: github.event_name == 'pull_request_target' && github.event.action == 'opened'
         run: sleep 30

@@ -27,21 +27,26 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Bootstrap Action Workspace
         uses: ./.github/actions/bootstrap
 
       - uses: actions/checkout@v6
         with:
           repository: ${{ matrix.repository }}
           path: test-repo
+          persist-credentials: false
 
       - name: Build documentation
         id: docs-build
         run: |
           dotnet run --project src/tooling/docs-builder -- --strict --path-prefix "/docs" -p test-repo
 
       - name: Verify landing-page-path output
-        run: test ${{ steps.docs-build.outputs.landing-page-path }} == ${{ matrix.landing-page-path-output }}
+        run: test ${STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH} == ${{ matrix.landing-page-path-output }}
+        env:
+          STEPS_DOCS_BUILD_OUTPUTS_LANDING_PAGE_PATH: ${{ steps.docs-build.outputs.landing-page-path }}
 
       - name: Verify link validation
         run: |

@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Get token
         id: get_token

@@ -0,0 +1,28 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          advanced-security: false
+          annotations: true
+          config: .github/zizmor.yml
@@ -0,0 +1,22 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # Official GitHub and Elastic actions may use tag/branch refs.
+        actions/*: ref-pin
+        elastic/*: ref-pin
+        # All other actions must be pinned to a commit SHA (implicit "*": hash-pin).
+
+  # Intentional pull_request_target for fork PRs / label automation / preview cleanup.
+  dangerous-triggers:
+    ignore:
+      - assembler-preview-cleanup.yml
+      - docs-preview-cleanup-local.yml
+      - required-labels.yml
+
+  # Low-confidence expansions in trusted workflow contexts (github.event, step outputs).
+  template-injection:
+    ignore:
+      - assembler-preview.yml
+      - docs-preview-local.yml
+      - release.yml
@@ -50,5 +50,6 @@ runs:
       shell: bash
       env:
         LINK_REFERENCE_FILE: ${{ inputs.link_reference_file }}
+        INPUTS_AWS_S3_BUCKET_NAME: ${{ inputs.aws_s3_bucket_name }}
       run: |
-        aws s3 cp --checksum-algorithm "SHA256" "${LINK_REFERENCE_FILE}" "s3://${{ inputs.aws_s3_bucket_name }}/${GITHUB_REPOSITORY}/${GITHUB_REF_NAME}/links.json"
+        aws s3 cp --checksum-algorithm "SHA256" "${LINK_REFERENCE_FILE}" "s3://${INPUTS_AWS_S3_BUCKET_NAME}/${GITHUB_REPOSITORY}/${GITHUB_REF_NAME}/links.json"