Actions bug fix hour for week of August 07, 2023 (#40816)

2026-01-09 06:03:09 -05:00 · 2023-08-16 11:11:30 -07:00
parent 345c252c47
commit 09a41e6748
4 changed files with 15 additions and 2 deletions
--- a/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md
+++ b/content/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules.md
@@ -36,7 +36,7 @@ The following is a list of official partner implementations for deployment prote
 - New Relic: for more information, see [the New Relic app](https://github.com/apps/new-relic-gate) in the {% data variables.product.prodname_marketplace %}.
 - NCM NodeSource: for more information, see [the NCM NodeSource app](https://github.com/apps/ncm-nodesource) in the {% data variables.product.prodname_marketplace %}.
 - Sentry: for more information, see [the Sentry Deployment Gate app](https://github.com/apps/sentry-deployment-gate) in the {% data variables.product.prodname_marketplace %}.
- ServiceNow: for more information, see [DevOps](https://www.servicenow.com/products/devops.html) in the ServiceNow documentation.
+- ServiceNow: for more information, see [GitHub integration with DevOps Change Velocity](https://docs.servicenow.com/bundle/utah-devops/page/product/enterprise-dev-ops/concept/github-integration-dev-ops.html) in the ServiceNow documentation.

 ## Prerequisites

--- a/content/actions/security-guides/security-hardening-for-github-actions.md
+++ b/content/actions/security-guides/security-hardening-for-github-actions.md
@@ -301,9 +301,13 @@ This list describes the recommended approaches for accessing repository data wit
 1. **SSH keys on a personal account**
    - Workflows should never use the SSH keys on a personal account. Similar to {% data variables.product.pat_v1_plural %}, they grant read/write permissions to all of your personal repositories as well as all the repositories you have access to through organization membership.  This indirectly grants broad access to all write-access users of the repository the workflow is in. If you're intending to use an SSH key because you only need to perform repository clones or pushes, and do not need to interact with public APIs, then you should use individual deploy keys instead.

+## Hardening for {% data variables.product.prodname_dotcom %}-hosted runners
+
+{% data variables.product.prodname_dotcom %}-hosted runners take measures to help you mitigate security risks.
+
 {% ifversion actions-sbom %}

-## Reviewing the supply chain for {% data variables.product.prodname_dotcom %}-hosted runners
+### Reviewing the supply chain for {% data variables.product.prodname_dotcom %}-hosted runners

 You can view a software bill of materials (SBOM) to see what software was pre-installed on the {% data variables.product.prodname_dotcom %}-hosted runner image used during your workflow runs. You can provide your users with the SBOM which they can run through a vulnerability scanner to validate if there are any vulnerabilities in the product. If you are building artifacts, you can include this SBOM in your bill of materials for a comprehensive list of everything that went into creating your software.

@@ -311,6 +315,10 @@ SBOMs are available for Ubuntu, Windows, and macOS runner images. You can locate

 {% endif %}

+### Denying access to hosts
+
+{% data reusables.actions.runners-etc-hosts-file %}{%ifversion fpt or ghec or ghes %}For more information, see "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners)."{% endif %}
+
 ## Hardening for self-hosted runners

 {% ifversion fpt or ghec %}
--- a/content/actions/using-github-hosted-runners/about-github-hosted-runners.md
+++ b/content/actions/using-github-hosted-runners/about-github-hosted-runners.md
@@ -198,6 +198,10 @@ Since there are so many IP address ranges for {% data variables.product.prodname

 The list of {% data variables.product.prodname_actions %} IP addresses returned by the API is updated once a week.

+## The `etc/hosts` file
+
+{% data reusables.actions.runners-etc-hosts-file %}
+
 ## File systems

 {% data variables.product.prodname_dotcom %} executes actions and shell commands in specific directories on the virtual machine. The file paths on virtual machines are not static. Use the environment variables {% data variables.product.prodname_dotcom %} provides to construct file paths for the `home`, `workspace`, and `workflow` directories.
--- a/data/reusables/actions/runners-etc-hosts-file.md
+++ b/data/reusables/actions/runners-etc-hosts-file.md
@@ -0,0 +1 @@
+{% data variables.product.prodname_dotcom %}-hosted runners are provisioned with an `etc/hosts` file that blocks network access to various cryptocurrency mining pools and malicious sites. Hosts such as MiningMadness.com and cpu-pool.com are rerouted to localhost so that they do not present a significant security risk.
				`@@ -0,0 +1 @@`
				{% data variables.product.prodname_dotcom %}-hosted runners are provisioned with an `etc/hosts` file that blocks network access to various cryptocurrency mining pools and malicious sites. Hosts such as MiningMadness.com and cpu-pool.com are rerouted to localhost so that they do not present a significant security risk.