Merge pull request #31509 from github/repo-sync

Repo sync
2025-12-30 03:01:36 -05:00 · 2024-02-07 09:57:40 -08:00
parent ced0823282 db752e684d
commit bed4181154
2 changed files with 23 additions and 27 deletions
--- a/content/actions/creating-actions/creating-a-composite-action.md
+++ b/content/actions/creating-actions/creating-a-composite-action.md
@@ -87,9 +87,6 @@ Before you begin, you'll create a repository on {% data variables.location.produ

 1. In the `hello-world-composite-action` repository, create a new file called `action.yml` and add the following example code. For more information about this syntax, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-composite-actions)".

-    {% raw %}
-    **action.yml**
-
    ```yaml copy
    name: 'Hello World'
    description: 'Greet someone'
@@ -101,26 +98,33 @@ Before you begin, you'll create a repository on {% data variables.location.produ
    outputs:
      random-number:
        description: "Random number"
-        value: ${{ steps.random-number-generator.outputs.random-number }}
+        value: {% raw %}${{ steps.random-number-generator.outputs.random-number }}{% endraw %}
    runs:
      using: "composite"
      steps:
-        - run: echo Hello ${{ inputs.who-to-greet }}.
+        - name: Set Greeting
+          run: echo "Hello $INPUT_WHO_TO_GREET."
          shell: bash
-        - id: random-number-generator{% endraw %}
-          {%- ifversion actions-save-state-set-output-envs %}
+          env:
+            INPUT_WHO_TO_GREET: {% raw %}${{ inputs.who-to-greet }}{% endraw %}
+
+        - name: Random Number Generator
+          id: random-number-generator
          run: echo "random-number=$(echo $RANDOM)" >> $GITHUB_OUTPUT
-          {%- else %}
-          run: echo "::set-output name=random-number::$(echo $RANDOM)"
-          {%- endif %}{% raw %}
          shell: bash
-        - run: echo "${{ github.action_path }}" >> $GITHUB_PATH
+
+        - name: Set GitHub Path
+          run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
          shell: bash
-        - run: goodbye.sh
+          env:
+            GITHUB_ACTION_PATH: {% raw %}${{ github.action_path }}{% endraw %}
+
+        - name: Run goodbye.sh
+          run: goodbye.sh
          shell: bash
+
    ```

-    {% endraw %}
    This file defines the `who-to-greet` input, maps the random generated number to the `random-number` output variable, adds the action's path to the runner system path (to locate the `goodbye.sh` script during execution), and runs the `goodbye.sh` script.

    For more information about managing outputs, see "[AUTOTITLE](/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions)".
@@ -148,8 +152,6 @@ The following workflow code uses the completed hello world action that you made

 Copy the workflow code into a `.github/workflows/main.yml` file in another repository, but replace `actions/hello-world-composite-action@v1` with the repository and tag you created. You can also replace the `who-to-greet` input with your name.

-**.github/workflows/main.yml**
-
 ```yaml copy
 on: [push]

@@ -163,8 +165,10 @@ jobs:
        uses: actions/hello-world-composite-action@v1
        with:
          who-to-greet: 'Mona the Octocat'
-      - run: echo random-number {% raw %}${{ steps.foo.outputs.random-number }}{% endraw %}
+      - run: echo random-number "$RANDOM_NUMBER"
        shell: bash
+        env:
+          RANDOM_NUMBER: {% raw %}${{ steps.foo.outputs.random-number }}{% endraw %}
 ```

 From your repository, click the **Actions** tab, and select the latest workflow run. The output should include: "Hello Mona the Octocat", the result of the "Goodbye" script, and a random number.
--- a/content/actions/security-guides/security-hardening-for-github-actions.md
+++ b/content/actions/security-guides/security-hardening-for-github-actions.md
@@ -113,30 +113,24 @@ There are a number of different approaches available to help you mitigate the ri

 ### Using an action instead of an inline script (recommended)

-The recommended approach is to create an action that processes the context value as an argument. This approach is not vulnerable to the injection attack, as the context value is not used to generate a shell script, but is instead passed to the action as an argument:
-
-{% raw %}
+The recommended approach is to create a JavaScript action that processes the context value as an argument. This approach is not vulnerable to the injection attack, since the context value is not used to generate a shell script, but is instead passed to the action as an argument:

 ```yaml
 uses: fakeaction/checktitle@v3
 with:
-    title: ${{ github.event.pull_request.title }}
+    title: {% raw %}${{ github.event.pull_request.title }}{% endraw %}
 ```

-{% endraw %}
-
 ### Using an intermediate environment variable

 For inline scripts, the preferred approach to handling untrusted input is to set the value of the expression to an intermediate environment variable.

 The following example uses Bash to process the `github.event.pull_request.title` value as an environment variable:

-{% raw %}
-
 ```yaml
      - name: Check PR title
        env:
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: {% raw %}${{ github.event.pull_request.title }}{% endraw %}
        run: |
          if [[ "$TITLE" =~ ^octocat ]]; then
          echo "PR title starts with 'octocat'"
@@ -147,8 +141,6 @@ The following example uses Bash to process the `github.event.pull_request.title`
          fi
 ```

-{% endraw %}
-
 In this example, the attempted script injection is unsuccessful, which is reflected by the following lines in the log:

 ```shell