Conversation
Mpdreamz
left a comment
Mpdreamz
left a comment
There was a problem hiding this comment.
We pin all actions except elastic/* and github/* this is per infosec's policies too.
The thinking is we can fix them fast too if something is wrong.
Leaving elastic/vale alone is thus fine.
|
@copilot resolve the merge conflicts in this pull request |
Co-authored-by: Mpdreamz <245275+Mpdreamz@users.noreply.github.com>
Reverted both
Merge conflicts resolved in commit |
|
@Mpdreamz The merge fixed the pinning, so it's ready for review |
Summary
docs-build.yml— Pin elastic/vale-rules/lint to SHA (https://github.com/elastic/docs-eng-team/issues/498)docs-deploy.yml— Pin elastic/vale-rules/report to SHA (https://github.com/elastic/docs-eng-team/issues/498 / https://github.com/elastic/docs-eng-team/issues/509) + symlink guard (https://github.com/elastic/docs-eng-team/issues/529)codex-preview.yml— Symlink rejection before deploy (https://github.com/elastic/docs-eng-team/issues/507)Copilot summary:
This pull request introduces additional safety checks to the documentation build and deployment workflows by rejecting symlinks in build outputs and artifacts, and it also pins GitHub Actions for improved reliability and reproducibility. These changes help prevent potential security or deployment issues caused by symbolic links and ensure consistent action versions are used.
Symlink rejection:
codex-preview.ymlworkflow to fail the build if any symlinks are found in thedocsbuild output directory.docs-deploy.ymlworkflow to fail the process if any symlinks are found in the/tmp/link-index-uploadartifact before uploading.Workflow reliability:
docs-build.ymlworkflow to pin theelastic/vale-rules/lintaction to a specific commit hash instead of using themainbranch.docs-deploy.ymlworkflow to pin theelastic/vale-rules/reportaction to a specific commit hash instead of using themainbranch.