Adds third-party actions notices (reusable) (#58340)

2025-12-19 18:10:59 -05:00 · 2025-11-07 07:43:56 +00:00
parent c5a93180e1
commit c589c75107
15 changed files with 27 additions and 2 deletions
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md
@@ -128,7 +128,8 @@ The `aws-actions/configure-aws-credentials` action receives a JWT from the {% da

 ```yaml copy
 # Sample workflow to access AWS resources when workflow is tied to branch
-# The workflow Creates static website using aws s3
+# The workflow creates a static website using Amazon S3
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: AWS example workflow
 on:
  push
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md
@@ -80,6 +80,7 @@ The following example exchanges an OIDC ID token with Azure to receive an access
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Run Azure Login with OIDC
 on: [push]

--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md
@@ -81,6 +81,7 @@ This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: List services in GCP
 on:
  pull_request:
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md
@@ -128,6 +128,7 @@ This example demonstrates how to create a job that requests a secret from HashiC
 * `SECRET-PATH`: Replace this with the path to the secret you're retrieving from HashiCorp Vault. For example: `secret/data/production/ci npmToken`.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 jobs:
  retrieve-secret:
    runs-on: ubuntu-latest
@@ -161,6 +162,7 @@ By default, the Vault server will automatically revoke access tokens when their
 1. Add a step to call the [Revoke a Token (Self)](https://www.vaultproject.io/api/auth/token#revoke-a-token-self) Vault API to revoke the access token.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 jobs:
  retrieve-secret:
    runs-on: ubuntu-latest
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md
@@ -58,6 +58,7 @@ The following example uses the placeholders `YOUR_PROVIDER_NAME` and `YOUR_AUDIE
 {% raw %}

 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 permissions:
  id-token: write
  contents: read
@@ -91,6 +92,7 @@ jobs:
 {% raw %}

 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
      - name: Sign in to Artifactory Docker registry
        uses: docker/login-action@v3
        with:
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md
@@ -56,6 +56,7 @@ The [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-
 The following example uses the `pypa/gh-action-pypi-publish` action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 jobs:
  release-build:
    runs-on: ubuntu-latest
--- a/content/actions/tutorials/build-and-test-code/java-with-gradle.md
+++ b/content/actions/tutorials/build-and-test-code/java-with-gradle.md
@@ -55,6 +55,7 @@ We recommend that you have a basic understanding of Java and the Gradle framewor
   If you don't find the "Java with Gradle" workflow template, copy the following workflow code to a new file called `gradle.yml` in the `.github/workflows` directory of your repository.

   ```yaml copy
+   {% data reusables.actions.actions-not-certified-by-github-comment %}
   name: Java CI with Gradle

   on:
@@ -109,6 +110,7 @@ The workflow template will run the `build` task by default. In the default Gradl
 If you use different commands to build your project, or you want to use a different task, you can specify those. For example, you may want to run the `package` task that's configured in your `ci.gradle` file.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
  - uses: {% data reusables.actions.action-checkout %}
  - uses: {% data reusables.actions.action-setup-java %}
@@ -136,6 +138,7 @@ After your build has succeeded and your tests have passed, you may want to uploa
 Gradle will usually create output files like JARs, EARs, or WARs in the `build/libs` directory. You can upload the contents of that directory using the `upload-artifact` action.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
  - uses: {% data reusables.actions.action-checkout %}
  - uses: {% data reusables.actions.action-setup-java %}
--- a/content/actions/tutorials/build-and-test-code/java-with-maven.md
+++ b/content/actions/tutorials/build-and-test-code/java-with-maven.md
@@ -55,6 +55,7 @@ We recommend that you have a basic understanding of Java and the Maven framework
   If you don't find the "Java with Maven" workflow template, copy the following workflow code to a new file called `maven.yml` in the `.github/workflows` directory of your repository.

   ```yaml copy
+   {% data reusables.actions.actions-not-certified-by-github-comment %}
   name: Java CI with Maven

   on:
--- a/content/actions/tutorials/build-and-test-code/ruby.md
+++ b/content/actions/tutorials/build-and-test-code/ruby.md
@@ -49,6 +49,7 @@ We recommend that you have a basic understanding of Ruby, YAML, workflow configu
   If you don't find the "Ruby" workflow template, copy the following workflow code to a new file called `ruby.yml` in the `.github/workflows` directory of your repository.

   ```yaml copy
+   {% data reusables.actions.actions-not-certified-by-github-comment %}
   name: Ruby

   on:
@@ -102,6 +103,7 @@ Using Ruby's `ruby/setup-ruby` action is the recommended way of using Ruby with
 The `setup-ruby` action takes a Ruby version as an input and configures that version on the runner.

 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
 - uses: {% data reusables.actions.action-checkout %}
 - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1
@@ -170,6 +172,7 @@ jobs:
 The `setup-ruby` action will automatically install bundler for you. The version is determined by your `gemfile.lock` file. If no version is present in your lockfile, then the latest compatible version will be installed.

 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
 - uses: {% data reusables.actions.action-checkout %}
 - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1
@@ -187,6 +190,7 @@ To enable caching, set the following.
 {% raw %}

 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
 - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1
  with:
--- a/content/actions/tutorials/build-and-test-code/swift.md
+++ b/content/actions/tutorials/build-and-test-code/swift.md
@@ -127,6 +127,7 @@ You can configure your job to use a single specific version of Swift, such as `5
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
  - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf
    with:
@@ -142,6 +143,7 @@ steps:
 You can use the same commands that you use locally to build and test your code using Swift. This example demonstrates how to use `swift build` and `swift test` in a job:

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 steps:
  - uses: {% data reusables.actions.action-checkout %}
  - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf
--- a/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md
+++ b/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md
@@ -88,6 +88,7 @@ This example demonstrates using the `actions-sync` tool to sync an individual ac
 1. After the action repository is created in your enterprise, people in your enterprise can use the destination repository to reference the action in their workflows. For the example action shown above:

   ```yaml
+   {% data reusables.actions.actions-not-certified-by-github-comment %}
   uses: synced-actions/actions-stale@v1
   ```

--- a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
+++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md
@@ -55,6 +55,7 @@ To access a private container registry on AWS with a user name and password, a w
 In this example, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used.

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: CI
 on:
  pull_request:
--- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
+++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md
@@ -53,6 +53,7 @@ Example:
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Dependabot fetch metadata
 on: pull_request

@@ -89,6 +90,7 @@ Example that flags all production dependency updates with a label:
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Dependabot auto-label
 on: pull_request

@@ -124,6 +126,7 @@ Example:
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Dependabot auto-approve
 on: pull_request

@@ -160,6 +163,7 @@ You can instead use {% data variables.product.prodname_actions %} and the {% dat
 {% raw %}

 ```yaml copy
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: Dependabot auto-merge
 on: pull_request

--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
@@ -50,7 +50,7 @@ If you have external tools which create or manage Software Bills of Materials (S
 For example, the following [SPDX Dependency Submission Action](https://github.com/marketplace/actions/spdx-dependency-submission-action) workflow calculates the dependencies for a repository, generates an exportable SBOM in SPDX 2.2 format, and submits it to the {% data variables.dependency-submission-api.name %}.

 ```yaml
-
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 name: SBOM upload

 on:
--- a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
+++ b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md
@@ -208,6 +208,7 @@ To use the Azure DevOps MCP server with {% data variables.copilot.copilot_coding
 1. Add an Azure login step to the `copilot-setup-steps` workflow job.

   ```yaml copy
+   {% data reusables.actions.actions-not-certified-by-github-comment %}
   on:
     workflow_dispatch:
   permissions: