Harden workflow security: delete dependabot branches, fix injection patterns, add zizmor (#59769)

heiskr · Copilot · Copilot · web-flow · commit 1b4a2ba9469e · 2026-02-25T23:19:38.000Z
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/actions/retry-command/action.yml b/.github/actions/retry-command/action.yml
@@ -18,13 +18,17 @@ runs:
   steps:
     - name: Retry command
       shell: bash
+      env:
+        INPUT_MAX_ATTEMPTS: ${{ inputs.max_attempts }}
+        INPUT_DELAY: ${{ inputs.delay }}
+        INPUT_COMMAND: ${{ inputs.command }}
       run: |
         # Generic retry function: configurable attempts and delay
         retry_command() {
-          local max_attempts=${{ inputs.max_attempts }}
-          local delay=${{ inputs.delay }}
+          local max_attempts=${INPUT_MAX_ATTEMPTS}
+          local delay=${INPUT_DELAY}
           local attempt=1
-          local command="${{ inputs.command }}"
+          local command="${INPUT_COMMAND}"
 
           while [ $attempt -le $max_attempts ]; do
             echo "Attempt $attempt/$max_attempts: Running command..."
diff --git a/.github/actions/setup-elasticsearch/action.yml b/.github/actions/setup-elasticsearch/action.yml
@@ -34,14 +34,18 @@ runs:
     - name: Pull Docker image
       shell: bash
       if: steps.cache-docker-layers.outputs.cache-hit != 'true'
-      run: docker pull elasticsearch:${{ inputs.elasticsearch_version }}
+      env:
+        ES_VERSION: ${{ inputs.elasticsearch_version }}
+      run: docker pull elasticsearch:${ES_VERSION}
 
     - name: Save Docker image to cache
       shell: bash
       if: steps.cache-docker-layers.outputs.cache-hit != 'true'
+      env:
+        ES_VERSION: ${{ inputs.elasticsearch_version }}
       run: |
         mkdir -p /tmp/docker-cache
-        docker save -o /tmp/docker-cache/elasticsearch.tar elasticsearch:${{ inputs.elasticsearch_version }}
+        docker save -o /tmp/docker-cache/elasticsearch.tar elasticsearch:${ES_VERSION}
 
     # Setups the Elasticsearch container
     # Derived from https://github.com/getong/elasticsearch-action
diff --git a/.github/workflows/auto-close-dependencies.yml b/.github/workflows/auto-close-dependencies.yml
@@ -19,7 +19,7 @@ on:
       - submitted
 
 permissions:
-  contents: read
+  contents: write
   pull-requests: write
 
 jobs:
@@ -34,12 +34,12 @@ jobs:
       }}
     runs-on: ubuntu-latest
     steps:
-      - name: Close pull request
+      - name: Close pull request and delete branch
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          gh pr close "$PR_URL"
+          gh pr close "$PR_URL" --delete-branch
 
       - name: Comment on the pull request
         env:
diff --git a/.github/workflows/close-on-invalid-label.yaml b/.github/workflows/close-on-invalid-label.yaml
@@ -27,13 +27,15 @@ jobs:
         if: ${{ github.event_name == 'issues' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh issue close ${{ github.event.issue.html_url }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+        run: gh issue close "$ISSUE_URL"
 
       - name: Close PR
         if: ${{ github.event_name == 'pull_request_target' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh pr close ${{ github.event.pull_request.html_url }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr close "$PR_URL"
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'pull_request_target' }}
diff --git a/.github/workflows/generate-code-scanning-query-lists.yml b/.github/workflows/generate-code-scanning-query-lists.yml
@@ -24,8 +24,7 @@ on:
       - .github/actions/install-cocofix/action.yml
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   generate-security-query-lists:
@@ -159,6 +158,9 @@ jobs:
   create-pull-request:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     needs: [generate-security-query-lists, generate-quality-query-lists]
     steps:
       - name: Checkout repository code
diff --git a/.github/workflows/link-check-internal.yml b/.github/workflows/link-check-internal.yml
@@ -17,7 +17,6 @@ on:
 
 permissions:
   contents: read
-  issues: write
 
 jobs:
   # Determine which version/language combos to run
@@ -35,14 +34,18 @@ jobs:
       - name: Set matrix
         id: set-matrix
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
             # Manual run: use the provided version and language
-            echo 'matrix={"include":[{"version":"${{ inputs.version }}","language":"${{ inputs.language }}"}]}' >> $GITHUB_OUTPUT
+            echo "matrix={\"include\":[{\"version\":\"${INPUT_VERSION}\",\"language\":\"${INPUT_LANGUAGE}\"}]}" >> $GITHUB_OUTPUT
           else
             # Scheduled run: English free-pro-team + English latest enterprise-server
             LATEST_GHES=$(npx tsx -e "import { latest } from './src/versions/lib/enterprise-server-releases'; console.log(latest)")
             echo "matrix={\"include\":[{\"version\":\"free-pro-team@latest\",\"language\":\"en\"},{\"version\":\"enterprise-server@${LATEST_GHES}\",\"language\":\"en\"}]}" >> $GITHUB_OUTPUT
           fi
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_LANGUAGE: ${{ inputs.language }}
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
@@ -104,6 +107,8 @@ jobs:
     if: always() && github.repository == 'github/docs-internal'
     needs: [setup-matrix, check-internal-links]
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/needs-sme-workflow.yml b/.github/workflows/needs-sme-workflow.yml
@@ -13,13 +13,13 @@ on:
 
 permissions:
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   add-issue-comment:
     if: ${{ github.repository == 'github/docs' && (github.event.label.name == 'needs SME' && github.event_name == 'issues') }}
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -39,6 +39,8 @@ jobs:
   add-pr-comment:
     if: ${{ github.repository == 'github/docs' && (github.event.label.name == 'needs SME' && github.event_name == 'pull_request_target') }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/ready-for-doc-review.yml b/.github/workflows/ready-for-doc-review.yml
@@ -37,11 +37,15 @@ jobs:
 
       - name: Set AUTHOR_LOGIN
         run: |
-          if [[ "${{ github.event.pull_request.assignee.login && github.event.pull_request.user.login == 'docs-bot' }}" ]]; then
-            echo "AUTHOR_LOGIN=${{ github.event.pull_request.assignee.login }}" >> $GITHUB_ENV
+          if [[ "${IS_DOCS_BOT_ASSIGNEE}" == "true" ]]; then
+            echo "AUTHOR_LOGIN=${ASSIGNEE_LOGIN}" >> $GITHUB_ENV
           else
-            echo "AUTHOR_LOGIN=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV
+            echo "AUTHOR_LOGIN=${USER_LOGIN}" >> $GITHUB_ENV
           fi
+        env:
+          IS_DOCS_BOT_ASSIGNEE: ${{ github.event.pull_request.assignee.login && github.event.pull_request.user.login == 'docs-bot' }}
+          ASSIGNEE_LOGIN: ${{ github.event.pull_request.assignee.login }}
+          USER_LOGIN: ${{ github.event.pull_request.user.login }}
 
       - name: Run script
         run: |
diff --git a/.github/workflows/sync-graphql.yml b/.github/workflows/sync-graphql.yml
@@ -10,13 +10,15 @@ on:
     - cron: '20 16 * * 1-5' # Run Mon-Fri at 16:20 UTC / 8:20 PST
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update_graphql_files:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       ignored-changes: ${{ steps.sync.outputs.ignored-changes }}
       ignored-count: ${{ steps.sync.outputs.ignored-count }}
diff --git a/.github/workflows/triage-stale-check.yml b/.github/workflows/triage-stale-check.yml
@@ -10,14 +10,15 @@ on:
 
 permissions:
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   stale_contributor:
     name: Identify and close stale issues and PRs
     if: github.repository == 'github/docs'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
 
     steps:
       - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
@@ -55,6 +56,9 @@ jobs:
     name: Remind staff about PRs waiting for review
     if: github.repository == 'github/docs'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
         with:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,33 @@
+name: Workflow security lint
+
+# **What it does**: Runs zizmor to detect security issues in GitHub Actions workflows.
+# **Why we have it**: To catch injection vulnerabilities and other security misconfigurations before they ship.
+# **Who does it impact**: Docs engineering.
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+      - '.github/zizmor.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    if: github.repository == 'github/docs-internal'
+    name: zizmor
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        with:
+          online-audits: 'false'
+          advanced-security: 'false'
+          annotations: 'true'
+          min-severity: 'high'
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,22 @@
+rules:
+  # pull_request_target is required for workflows that need write access
+  # on PRs from forks (e.g. labeling, commenting). We audit these manually.
+  dangerous-triggers:
+    disable: true
+
+  # moda-ci uses reusable workflows (uses:) which don't support job-level
+  # permissions. id-token:write and attestations:write are needed by docker-image
+  # for attestation but can't be scoped to that job alone.
+  excessive-permissions:
+    ignore:
+      - moda-ci.yaml
+
+  # actions/* has immutable tags, so ref-pinning is sufficient.
+  # github/internal-actions is a private GitHub org repo, ref-pin is fine.
+  # Everything else must be hash-pinned.
+  unpinned-uses:
+    config:
+      policies:
+        'actions/*': ref-pin
+        'github/internal-actions/*': ref-pin
+        '*': hash-pin
