Skip to content

Commit 830f34a

Browse files
authored
Merge pull request #45003 from github/repo-sync
Repo sync
2 parents c9bd77a + e1872e2 commit 830f34a

45 files changed

Lines changed: 295217 additions & 202646 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/instructions/content.instructions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
applyTo: "content/**,data/**,**/*.md"
2+
applyTo: "content/**,data/**"
33
---
44

55
# Copilot content instructions for docs.github.com

.github/instructions/style-guide-summary.instructions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
applyTo: "content/**,data/**,**/*.md"
2+
applyTo: "content/**,data/**"
33
---
44

55
# Concise style guide for docs.github.com

content/actions/concepts/workflows-and-actions/dependency-caching.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,14 @@ Workflow runs often reuse the same outputs or downloaded dependencies from one r
2727

2828
For more information on workflow run artifacts, see [AUTOTITLE](/actions/using-workflows/storing-workflow-data-as-artifacts).
2929

30+
## Cache security
31+
32+
Caches are shared based on the branch or tag a workflow run uses, not on the identity of the workflow or job. See [AUTOTITLE](/actions/reference/workflows-and-actions/events-that-trigger-workflows) and the `GITHUB_REF` for the branch used for various workflow triggers. Any run that can read a cache restores its contents as-is, so you should treat restored files as untrusted input and never store secrets or other sensitive data in a cache.
33+
34+
Untrusted workflows can read sensitive cache contents, such as when a `pull_request` from a fork restores a cache. Poisoned caches can lead to code execution in trusted workflows. To limit the risk of cache poisoning, {% data variables.product.github %} gives workflows that run in response to low-trust triggers read-only access to caches in the default branch's scope.
35+
36+
For details on cache scope, access restrictions, and best practices for using caches securely, see [AUTOTITLE](/actions/reference/dependency-caching-reference#cache-access-for-low-trust-workflow-triggers).
37+
3038
## Next steps
3139

3240
To implement dependency caching in your workflows, see [AUTOTITLE](/actions/reference/dependency-caching-reference).

content/actions/reference/workflows-and-actions/dependency-caching.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -261,6 +261,37 @@ Multiple workflow runs in a repository can share caches. A cache created for a b
261261

262262
{% endif %}
263263

264+
## Cache access for low-trust workflow triggers
265+
266+
Some workflows run in response to events that can be initiated by people who do not have write access to the repository, such as a fork pull request or an issue comment. When these events run in the context of the default branch, they could be used to write a malicious cache that a later, more privileged workflow restores and trusts. This class of attack is known as _cache poisoning_.
267+
268+
To reduce this risk, only these workflow triggers can create or overwrite caches in the default branch’s scope:
269+
* `push`
270+
* `workflow_dispatch`
271+
* `repository_dispatch`
272+
* `delete`
273+
* `registry_package`
274+
* `page_build`
275+
* `schedule`
276+
277+
Runs triggered by any other event that resolves to the default branch are given read-only access to caches in the default branch's scope. These runs can restore existing caches but cannot create or overwrite them. This includes triggers whose payload or initiating actor can be influenced by someone outside the repository, such as `pull_request_target`, `issue_comment`, and `workflow_run`.
278+
279+
The `pull_request` event is not affected. Caches created by a `pull_request` run are already scoped to the merge ref (`refs/pull/.../merge`) and cannot be written to the default branch's scope. For more information, see [Restrictions for accessing a cache](#restrictions-for-accessing-a-cache).
280+
281+
When a run with read-only cache access tries to save a cache, the save fails but the step and the job do not. The workflow continues, and the failure is reported as a warning in the workflow log. In that case, consider the following:
282+
* To retain the performance benefits of caching on the default branch scope, ensure there is a trusted workflow that keeps the cache updated, for example a CI build triggered by a `push` to the default branch. Those cache entries can then be restored by workflows triggered by low-trust events such as `pull_request_target`.
283+
* In low-trust workflows, switch to a restore-only cache operation such as `actions/cache/restore` to make the intended cache usage clear and avoid the warning in the workflow run logs.
284+
285+
## Best practices for using caches securely
286+
287+
Cache contents are not signed or verified, and any workflow run that can read a cache may extract its contents. Extracted caches may modify files that are subsequently executed in a workflow run, leading to malicious code execution. Follow these practices to reduce the security risk of using caches.
288+
289+
* **Don't store sensitive information in a cache.** Anyone who can open a pull request against your repository can read the contents of caches in the base branch. Don't write secrets, tokens, or credentials to a cached path. Store sensitive values as secrets instead. See [AUTOTITLE](/actions/concepts/security/secrets).
290+
* **Save caches from trusted triggers.** Restrict cache writes to workflows triggered by trusted actors (typically those with write access to the repository). See [Cache access for low-trust workflow triggers](#cache-access-for-low-trust-workflow-triggers) for the default restrictions that are enforced to limit what workflow triggers can write to the cache. Additionally, consider using environments with deployment protection rules to further limit the workflows that can modify the cache. See [AUTOTITLE](/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments).
291+
* **Follow workflow best security practices to harden your workflows:** Limit workflows that have cache-write access to those that have been hardened against workflow vulnerabilities. Follow the guidance at [AUTOTITLE](/actions/reference/security/secure-use#writing-workflows) to prevent vulnerabilities in your workflows that could lead to code execution and the introduction of malicious cache entries.
292+
293+
For broader guidance on securing your workflows, see [AUTOTITLE](/actions/reference/security/secure-use).
294+
264295
## Usage limits and eviction policy
265296

266297
{% data variables.product.prodname_dotcom %} applies limits to cache storage and retention to manage storage costs and prevent abuse. Understanding these limits helps you optimize your cache usage.

data/features/dependabot-bun-support.yml

Lines changed: 0 additions & 6 deletions
This file was deleted.

data/features/dependabot-docker-compose-support.yml

Lines changed: 0 additions & 6 deletions
This file was deleted.

data/reusables/actions/larger-runners-troubleshooting-linux-windows.md

Lines changed: 0 additions & 8 deletions
This file was deleted.

data/reusables/actions/run-jobs-larger-runners.md

Lines changed: 0 additions & 6 deletions
This file was deleted.

data/reusables/actions/runner-labels-implicit.md

Lines changed: 0 additions & 1 deletion
This file was deleted.

data/reusables/actions/runner-labels.md

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)