Repo sync

.github/actions/retry-command/action.yml

@@ -18,13 +18,17 @@ runs:
   steps:
     - name: Retry command
       shell: bash
+      env:
+        INPUT_MAX_ATTEMPTS: ${{ inputs.max_attempts }}
+        INPUT_DELAY: ${{ inputs.delay }}
+        INPUT_COMMAND: ${{ inputs.command }}
       run: |
         # Generic retry function: configurable attempts and delay
         retry_command() {
-          local max_attempts=${{ inputs.max_attempts }}
-          local delay=${{ inputs.delay }}
+          local max_attempts=${INPUT_MAX_ATTEMPTS}
+          local delay=${INPUT_DELAY}
           local attempt=1
-          local command="${{ inputs.command }}"
+          local command="${INPUT_COMMAND}"
 
           while [ $attempt -le $max_attempts ]; do
             echo "Attempt $attempt/$max_attempts: Running command..."

.github/actions/setup-elasticsearch/action.yml

@@ -34,14 +34,18 @@ runs:
     - name: Pull Docker image
       shell: bash
       if: steps.cache-docker-layers.outputs.cache-hit != 'true'
-      run: docker pull elasticsearch:${{ inputs.elasticsearch_version }}
+      env:
+        ES_VERSION: ${{ inputs.elasticsearch_version }}
+      run: docker pull elasticsearch:${ES_VERSION}
 
     - name: Save Docker image to cache
       shell: bash
       if: steps.cache-docker-layers.outputs.cache-hit != 'true'
+      env:
+        ES_VERSION: ${{ inputs.elasticsearch_version }}
       run: |
         mkdir -p /tmp/docker-cache
-        docker save -o /tmp/docker-cache/elasticsearch.tar elasticsearch:${{ inputs.elasticsearch_version }}
+        docker save -o /tmp/docker-cache/elasticsearch.tar elasticsearch:${ES_VERSION}
 
     # Setups the Elasticsearch container
     # Derived from https://github.com/getong/elasticsearch-action

.github/workflows/auto-close-dependencies.yml

@@ -19,7 +19,7 @@ on:
       - submitted
 
 permissions:
-  contents: read
+  contents: write
   pull-requests: write
 
 jobs:
@@ -34,12 +34,12 @@ jobs:
       }}
     runs-on: ubuntu-latest
     steps:
-      - name: Close pull request
+      - name: Close pull request and delete branch
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          gh pr close "$PR_URL"
+          gh pr close "$PR_URL" --delete-branch
 
       - name: Comment on the pull request
         env:

.github/workflows/close-on-invalid-label.yaml

@@ -27,13 +27,15 @@ jobs:
         if: ${{ github.event_name == 'issues' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh issue close ${{ github.event.issue.html_url }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+        run: gh issue close "$ISSUE_URL"
 
       - name: Close PR
         if: ${{ github.event_name == 'pull_request_target' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh pr close ${{ github.event.pull_request.html_url }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: gh pr close "$PR_URL"
 
       - name: Check out repo
         if: ${{ failure() && github.event_name != 'pull_request_target' }}

.github/workflows/content-pipelines.yml

@@ -22,7 +22,6 @@ on:
 permissions:
   contents: write
   pull-requests: write
-  copilot-requests: write
 
 env:
   HUSKY: 0
@@ -71,11 +70,11 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
           if git ls-remote --exit-code --heads origin "$UPDATE_BRANCH" > /dev/null 2>&1; then
-            git fetch origin "$UPDATE_BRANCH"
+            git fetch origin "$UPDATE_BRANCH" main
             git checkout "$UPDATE_BRANCH"
             git merge origin/main --no-edit || {
               echo "Merge conflict with main — resetting branch to main"
-              git merge --abort
+              git merge --abort 2>/dev/null || true
               git checkout main
               git branch -D "$UPDATE_BRANCH"
               git push origin --delete "$UPDATE_BRANCH" || true
@@ -89,6 +88,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_BASE }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COPILOT_GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_COPILOT }}
         run: npx tsx src/content-pipelines/scripts/update.ts --id "${{ matrix.id }}"
 
       - name: Commit changes
@@ -131,6 +131,7 @@ jobs:
           PR_BODY+="Runs the \`content-pipeline-update\` agent (${PIPELINE_ID}) against the latest source docs and updates official articles under \`content/\` that have fallen out of sync."$'\n\n'
           PR_BODY+="## Review"$'\n\n'
           PR_BODY+="* Review each commit for accuracy — the agent uses AI, so spot-check important changes"$'\n'
+          PR_BODY+="* To adjust agent behavior, see [Modifying results](${{ github.server_url }}/${{ github.repository }}/blob/main/src/content-pipelines/README.md#modifying-results)"$'\n'
           PR_BODY+="* Once satisfied, merge to keep docs up to date"$'\n'
           PR_BODY+="* A new PR will be created on the next run if there are further changes"
 

.github/workflows/generate-code-scanning-query-lists.yml

@@ -24,8 +24,7 @@ on:
       - .github/actions/install-cocofix/action.yml
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   generate-security-query-lists:
@@ -159,6 +158,9 @@ jobs:
   create-pull-request:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     needs: [generate-security-query-lists, generate-quality-query-lists]
     steps:
       - name: Checkout repository code

.github/workflows/link-check-internal.yml

@@ -17,7 +17,6 @@ on:
 
 permissions:
   contents: read
-  issues: write
 
 jobs:
   # Determine which version/language combos to run
@@ -35,14 +34,18 @@ jobs:
       - name: Set matrix
         id: set-matrix
         run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
             # Manual run: use the provided version and language
-            echo 'matrix={"include":[{"version":"${{ inputs.version }}","language":"${{ inputs.language }}"}]}' >> $GITHUB_OUTPUT
+            echo "matrix={\"include\":[{\"version\":\"${INPUT_VERSION}\",\"language\":\"${INPUT_LANGUAGE}\"}]}" >> $GITHUB_OUTPUT
           else
             # Scheduled run: English free-pro-team + English latest enterprise-server
             LATEST_GHES=$(npx tsx -e "import { latest } from './src/versions/lib/enterprise-server-releases'; console.log(latest)")
             echo "matrix={\"include\":[{\"version\":\"free-pro-team@latest\",\"language\":\"en\"},{\"version\":\"enterprise-server@${LATEST_GHES}\",\"language\":\"en\"}]}" >> $GITHUB_OUTPUT
           fi
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_LANGUAGE: ${{ inputs.language }}
 
       - uses: ./.github/actions/slack-alert
         if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
@@ -104,6 +107,8 @@ jobs:
     if: always() && github.repository == 'github/docs-internal'
     needs: [setup-matrix, check-internal-links]
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

.github/workflows/needs-sme-workflow.yml

@@ -13,13 +13,13 @@ on:
 
 permissions:
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   add-issue-comment:
     if: ${{ github.repository == 'github/docs' && (github.event.label.name == 'needs SME' && github.event_name == 'issues') }}
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -39,6 +39,8 @@ jobs:
   add-pr-comment:
     if: ${{ github.repository == 'github/docs' && (github.event.label.name == 'needs SME' && github.event_name == 'pull_request_target') }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Check out repo
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

.github/workflows/ready-for-doc-review.yml

@@ -37,11 +37,15 @@ jobs:
 
       - name: Set AUTHOR_LOGIN
         run: |
-          if [[ "${{ github.event.pull_request.assignee.login && github.event.pull_request.user.login == 'docs-bot' }}" ]]; then
-            echo "AUTHOR_LOGIN=${{ github.event.pull_request.assignee.login }}" >> $GITHUB_ENV
+          if [[ "${IS_DOCS_BOT_ASSIGNEE}" == "true" ]]; then
+            echo "AUTHOR_LOGIN=${ASSIGNEE_LOGIN}" >> $GITHUB_ENV
           else
-            echo "AUTHOR_LOGIN=${{ github.event.pull_request.user.login }}" >> $GITHUB_ENV
+            echo "AUTHOR_LOGIN=${USER_LOGIN}" >> $GITHUB_ENV
           fi
+        env:
+          IS_DOCS_BOT_ASSIGNEE: ${{ github.event.pull_request.assignee.login && github.event.pull_request.user.login == 'docs-bot' }}
+          ASSIGNEE_LOGIN: ${{ github.event.pull_request.assignee.login }}
+          USER_LOGIN: ${{ github.event.pull_request.user.login }}
 
       - name: Run script
         run: |

.github/workflows/sync-graphql.yml

@@ -10,13 +10,15 @@ on:
     - cron: '20 16 * * 1-5' # Run Mon-Fri at 16:20 UTC / 8:20 PST
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update_graphql_files:
     if: github.repository == 'github/docs-internal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       ignored-changes: ${{ steps.sync.outputs.ignored-changes }}
       ignored-count: ${{ steps.sync.outputs.ignored-count }}

.github/workflows/triage-stale-check.yml

@@ -10,14 +10,15 @@ on:
 
 permissions:
   contents: read
-  issues: write
-  pull-requests: write
 
 jobs:
   stale_contributor:
     name: Identify and close stale issues and PRs
     if: github.repository == 'github/docs'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
 
     steps:
       - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
@@ -55,6 +56,9 @@ jobs:
     name: Remind staff about PRs waiting for review
     if: github.repository == 'github/docs'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
         with:

.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+name: Workflow security lint
+
+# **What it does**: Runs zizmor to detect security issues in GitHub Actions workflows.
+# **Why we have it**: To catch injection vulnerabilities and other security misconfigurations before they ship.
+# **Who does it impact**: Docs engineering.
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+      - '.github/zizmor.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    if: github.repository == 'github/docs-internal'
+    name: zizmor
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        with:
+          online-audits: 'false'
+          advanced-security: 'false'
+          annotations: 'true'
+          min-severity: 'high'

.github/zizmor.yml

@@ -0,0 +1,22 @@
+rules:
+  # pull_request_target is required for workflows that need write access
+  # on PRs from forks (e.g. labeling, commenting). We audit these manually.
+  dangerous-triggers:
+    disable: true
+
+  # moda-ci uses reusable workflows (uses:) which don't support job-level
+  # permissions. id-token:write and attestations:write are needed by docker-image
+  # for attestation but can't be scoped to that job alone.
+  excessive-permissions:
+    ignore:
+      - moda-ci.yaml
+
+  # actions/* has immutable tags, so ref-pinning is sufficient.
+  # github/internal-actions is a private GitHub org repo, ref-pin is fine.
+  # Everything else must be hash-pinned.
+  unpinned-uses:
+    config:
+      policies:
+        'actions/*': ref-pin
+        'github/internal-actions/*': ref-pin
+        '*': hash-pin

content/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/adding-a-collaborator-to-a-repository-security-advisory.md

@@ -1,6 +1,6 @@
 ---
 title: Adding a collaborator to a repository security advisory
-intro: You can add other users or teams to collaborate on a security advisory with you.
+intro: Add other users or teams to collaborate on a security advisory with you.
 permissions: '{% data reusables.permissions.security-repo-enable %}'
 redirect_from:
   - /articles/adding-a-collaborator-to-a-maintainer-security-advisory
@@ -21,9 +21,7 @@ topics:
 shortTitle: Add collaborators
 ---
 
-{% data reusables.security-advisory.repository-level-advisory-note %}
-
-## Adding a collaborator to a security advisory
+This article applies to repository-level security advisories in a public repository. To edit a global advisory in the {% data variables.product.prodname_advisory_database %}, see [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).
 
 Collaborators have write permissions to the security advisory. For more information, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories).
 
@@ -40,6 +38,4 @@ Collaborators have write permissions to the security advisory. For more informat
 
 ## Further reading
 
-* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/permission-levels-for-repository-security-advisories)
 * [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)
-* [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/removing-a-collaborator-from-a-repository-security-advisory).

content/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/managing-privately-reported-security-vulnerabilities.md

@@ -15,16 +15,8 @@ redirect_from:
   - /code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities
 ---
 
-{% data reusables.security-advisory.private-vulnerability-reporting-enable %}
-
-## About privately reporting a security vulnerability
-
-Private vulnerability reporting makes it easy for security researchers to report vulnerabilities directly to you using a simple form.
-
 When a security researcher reports a vulnerability privately, you are notified and can choose to either accept it, ask more questions, or reject it. If you accept the report, you're ready to collaborate on a fix for the vulnerability in private with the security researcher.
 
-## Managing security vulnerabilities that are privately reported
-
 {% data reusables.security-advisory.private-vulnerability-reporting-configure-notifications %}
 
 For more information about configuring notification preferences, see [AUTOTITLE](/code-security/security-advisories/working-with-repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository#configuring-notifications-for-private-vulnerability-reporting).