elastic/elasticsearch

4 workflows · maturity 33% · 4 patterns · GitHub ↗

Security 12.5/100

Practices

✓ Matrix✓ Permissions○ Security scan○ AI review○ Cache○ Concurrency✓ Reusable workflows

Detected patterns

dogfoodinghardware-matrixleast-privilege-permissionsreusable-workflows

Security dimensions

permissions
12.5
security scan
0
supply chain
0
secret handling
0
harden runner
0

Workflows (4)

docs-build .github/workflows/docs-build.yml
Triggers
push, pull_request_target, merge_group
Runs on
Jobs
docs-preview
View raw YAML 
name: docs-build

on:
  push:
    branches:
      - main
  pull_request_target: ~
  merge_group: ~

jobs:
  docs-preview:
    uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
    with:
      enable-vale-linting: true
      include-paths: |
        docs/reference/**
        docs/extend/**
        !docs/reference/query-languages/esql/**
      path-pattern: docs/**
      path-pattern-ignore: docs/changelog/**/*.yaml
      enable-cumulative-comment: true
    permissions:
      deployments: write
      id-token: write
      contents: read
      pull-requests: write
docs-cleanup .github/workflows/docs-cleanup.yml
Triggers
pull_request_target
Runs on
Jobs
docs-preview
View raw YAML 
name: docs-cleanup

on:
  pull_request_target:
    types:
      - closed

jobs:
  docs-preview:
    uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main
    permissions:
      contents: none
      id-token: write
      deployments: write
gradle-wrapper-validation perms .github/workflows/gradle-wrapper-validation.yml
Triggers
push
Runs on
ubuntu-latest
Jobs
validation
Actions
gradle/actions/wrapper-validation
View raw YAML 
name: "Validate Gradle Wrapper"
on: [push]

permissions:
  contents: read

jobs:
  validation:
    name: "Validation"
    if: github.repository == 'elastic/elasticsearch'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: gradle/actions/wrapper-validation@ac638b010cf58a27ee6c972d7336334ccaf61c96 # Release v4.4.1
updatecli-compose matrix perms .github/workflows/updatecli-compose.yml
Triggers
workflow_dispatch, schedule
Runs on
ubuntu-latest, ubuntu-latest
Jobs
setup-matrix, compose
Matrix
branch→ ${{ fromJson(needs.setup-matrix.outputs.branches) }}
Actions
docker/login-action, elastic/oblt-actions/updatecli/run
Commands
  • BRANCHES=$(jq -c '[.branches[].branch]' branches.json) echo "matrix=$BRANCHES" >> $GITHUB_OUTPUT
  • yq eval '.scm.branch = "${{ matrix.branch }}"' -i .github/updatecli/values.d/scm.yml
View raw YAML 
---
name: updatecli-compose

on:
  workflow_dispatch:
  schedule:
    - cron: "0 6 * * *"

permissions:
  contents: read

jobs:
  setup-matrix:
    if: github.repository == 'elastic/elasticsearch'
    runs-on: ubuntu-latest
    outputs:
      branches: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v4
      - id: set-matrix
        run: |
          BRANCHES=$(jq -c '[.branches[].branch]' branches.json)
          echo "matrix=$BRANCHES" >> $GITHUB_OUTPUT

  compose:
    needs: setup-matrix
    if: github.repository == 'elastic/elasticsearch'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        branch: ${{ fromJson(needs.setup-matrix.outputs.branches) }}
    permissions:
      contents: write
      packages: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branch }}

      - name: Update branch in SCM values
        run: |
          yq eval '.scm.branch = "${{ matrix.branch }}"' -i .github/updatecli/values.d/scm.yml

      - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: elastic/oblt-actions/updatecli/run@v1
        with:
          # Runs in "--debug" mode to provide logs if the PR creation fails
          command: --experimental compose apply --debug
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}