elastic · Mpdreamz · Jun 1, 2026 · Jun 1, 2026
@@ -20,4 +20,6 @@ updates:
   package-ecosystem: pre-commit
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 14
 version: 2
@@ -24,6 +24,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           token: ${{ steps.create-token.outputs.token }}
+          persist-credentials: false
 
       - name: Save current lock file checksums
         run: |
@@ -48,7 +49,7 @@ jobs:
 
       - name: Create pull request
         if: steps.changes.outputs.changed == 'true'
-        uses: peter-evans/create-pull-request@v8.1.1
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ steps.create-token.outputs.token }}
           commit-message: |

@@ -46,9 +46,11 @@ jobs:
         # Checkout is needed to get changed files when the event is not a pull request
         if: contains(fromJSON('["push", "merge_group", "workflow_dispatch"]'), github.event_name)
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Check changes
         id: check-files
-        uses: tj-actions/changed-files@v47.0.6
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
         with:
           files: ${{ inputs.path-pattern }}
           files_ignore: |
@@ -70,6 +72,8 @@ jobs:
         # Skip this for now because it's not clear if we need to or should support it.
         # However, the rest of the workflow is designed to support pull_request_target.
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: elastic/docs-actions/codex/build@v1
         if: needs.check.outputs.any_modified == 'true'
         id: codex-build
@@ -166,7 +170,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PATH_PREFIX: ${{ needs.build.outputs.path_prefix }}
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection] deployment_id from prior step output
             await github.rest.repos.createDeploymentStatus({
               owner: context.repo.owner,
               repo: context.repo.repo,

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
-          persist-credentials: false
+          persist-credentials: true
 
       - name: Validate and extract major version
         env:

@@ -225,7 +225,9 @@ jobs:
       - name: Write check metadata
         if: always() && steps.effective-any-modified.outputs.effective_any_modified != ''
         run: |
-          echo '${{ steps.effective-any-modified.outputs.effective_any_modified }}' > /tmp/effective_any_modified
+          echo '${STEPS_EFFECTIVE_ANY_MODIFIED_OUTPUTS_EFFECTIVE_ANY_MODIFIED}' > /tmp/effective_any_modified
+        env:
+          STEPS_EFFECTIVE_ANY_MODIFIED_OUTPUTS_EFFECTIVE_ANY_MODIFIED: ${{ steps.effective-any-modified.outputs.effective_any_modified }}
 
       - name: Upload check metadata
         if: always() && steps.effective-any-modified.outputs.effective_any_modified != ''
@@ -339,7 +341,10 @@ jobs:
       - name: Skip build
         if: env.MATCH != 'true' || needs.check.outputs.effective_any_modified == 'false'
         run: |
-          echo "::notice::Build skipped (match=${{ env.MATCH }}, any_modified=${{ needs.check.outputs.any_modified }}, effective_any_modified=${{ needs.check.outputs.effective_any_modified }})"
+          echo "::notice::Build skipped (match=${MATCH}, any_modified=${NEEDS_CHECK_OUTPUTS_ANY_MODIFIED}, effective_any_modified=${NEEDS_CHECK_OUTPUTS_EFFECTIVE_ANY_MODIFIED})"
+        env:
+          NEEDS_CHECK_OUTPUTS_ANY_MODIFIED: ${{ needs.check.outputs.any_modified }}
+          NEEDS_CHECK_OUTPUTS_EFFECTIVE_ANY_MODIFIED: ${{ needs.check.outputs.effective_any_modified }}
 
   vale:
     if: >

@@ -595,7 +595,7 @@ jobs:
           LANDING_PAGE_PATH: ${{ needs.build.outputs.landing_page_path }}
         with:
           # language=js
-          script: |
+          script: | # zizmor: ignore[template-injection] deployment_id from prior step output
             await github.rest.repos.createDeploymentStatus({
               owner: context.repo.owner,
               repo: context.repo.repo,