Hardening adjustments (#92)

* Reject symlinks

* Pin vale-rules/lint

* Reject symlinks in links artifact

* Pin vale-rules/report

* Update lock

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mpdreamz <245275+Mpdreamz@users.noreply.github.com>

Author: 3 people

.github/workflows/codex-preview.yml

@@ -138,6 +138,13 @@ jobs:
         with:
           name: docs
           path: docs
+      - name: Reject symlinks in build output
+        run: |
+          if find docs -type l | grep -q .; then
+            echo "::error::Symlinks found in build output — refusing to deploy"
+            find docs -type l -ls
+            exit 1
+          fi
       - uses: elastic/docs-actions/aws/auth@v1
         with:
           aws_role_name_prefix: codex-eng-preview-

.github/workflows/docs-deploy.yml

@@ -796,6 +796,14 @@ jobs:
           name: links
           path: /tmp/link-index-upload
 
+      - name: Reject symlinks in link index artifact
+        run: |
+          if find /tmp/link-index-upload -type l | grep -q .; then
+            echo "::error::Symlinks found in link index artifact — refusing to upload"
+            find /tmp/link-index-upload -type l -ls
+            exit 1
+          fi
+
       - name: Upload link reference to S3
         run: |
           aws s3 cp --checksum-algorithm "SHA256" \