From e7536fcdd952114415e52baf6c8261eaa0fbb9fc Mon Sep 17 00:00:00 2001 From: eeSquared Date: Thu, 27 Oct 2022 23:29:00 -0400 Subject: [PATCH 1/2] Add a security disclaimer about Actions VMs (#31797) Co-authored-by: Lucas Costi --- .../security-hardening-for-github-actions.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 5a18705739..fed4af9a0b 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -215,6 +215,12 @@ For more information on how to configure this setting, see {% ifversion allow-ac These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner. +{% note %} + +**Note:** {% data variables.product.prodname_dotcom %}-hosted runners do not scan for malicious code downloaded by a user during their job, such as a compromised third party library. + +{% endnote %} + ### Accessing secrets Workflows triggered using the `pull_request` event have read-only permissions and have no access to secrets. However, these permissions differ for various event triggers such as `issue_comment`, `issues` and `push`, where the attacker could attempt to steal repository secrets or use the write permission of the job's [`GITHUB_TOKEN`](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token). From d5d1618d75dd070aee7aac6d90d77d307cf8cd68 Mon Sep 17 00:00:00 2001 From: Lucas Costi Date: Fri, 28 Oct 2022 13:43:30 +1000 Subject: [PATCH 2/2] Add more detail to liquid whitespace control info (#32116) Co-authored-by: Laura Coursen --- content/README.md | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/content/README.md b/content/README.md index 139e1802d4..dbd5c95100 100644 --- a/content/README.md +++ b/content/README.md @@ -326,14 +326,36 @@ When adding a new article, make sure the filename is a [kebab-cased](https://en. ## Whitespace control -When using Liquid conditionals in lists or tables, you can use [whitespace control](https://shopify.github.io/liquid/basics/whitespace/) characters to prevent the addition of newlines that would break the list or table rendering. +When using Liquid conditionals in lists or tables, you can use [whitespace control](https://shopify.github.io/liquid/basics/whitespace/) characters to prevent the addition of newlines and other whitespace that would break the list or table rendering. -Just add a hyphen on either the left, right, or both sides to indicate that there should be no newline on that side. For example, this statement removes a newline on the left side: +You can add a hyphen (`-`) on either the left, right, or both sides to indicate that there should be no newline or other whitespace on that side. ``` {%- ifversion fpt %} ``` +For example, to version a table row, instead of adding liquid versioning for the row starting at the end of the previous row, like this: + +``` +Column A | Column B | Column C +---------|----------|--------- +This row is for all versions | B1 | C1{% ifversion ghes %} +This row is for GHES only | B2 | C2{% endif %} +This row is for all versions | B3 | C3 +``` + +You can include the liquid versioning on its own line and use whitespace control to strip the newline to the left of the liquid tag. This makes reading the source much easier, without breaking the rendering of the table: + +``` +Column A | Column B | Column C +---------|----------|--------- +This row is for all versions | B1 | C1 +{%- ifversion ghes %} +This row is for GHES only | B2 | C2 +{%- endif %} +This row is for all versions | B3 | C3 +``` + ## Links Links to docs in the `docs-internal` repository must start with a product ID (like `/actions` or `/admin`) and contain the entire filepath, but not the file extension. For example, `/actions/creating-actions/about-custom-actions`.