From c589c75107ef564152022f681f0fa8596243d3e1 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Fri, 7 Nov 2025 07:43:56 +0000 Subject: [PATCH] Adds third-party actions notices (reusable) (#58340) --- .../security-harden-deployments/oidc-in-aws.md | 3 ++- .../security-harden-deployments/oidc-in-azure.md | 1 + .../oidc-in-google-cloud-platform.md | 1 + .../security-harden-deployments/oidc-in-hashicorp-vault.md | 2 ++ .../security-harden-deployments/oidc-in-jfrog.md | 2 ++ .../security-harden-deployments/oidc-in-pypi.md | 1 + .../actions/tutorials/build-and-test-code/java-with-gradle.md | 3 +++ .../actions/tutorials/build-and-test-code/java-with-maven.md | 1 + content/actions/tutorials/build-and-test-code/ruby.md | 4 ++++ content/actions/tutorials/build-and-test-code/swift.md | 2 ++ .../manually-syncing-actions-from-githubcom.md | 1 + .../troubleshooting-dependabot-on-github-actions.md | 1 + .../automating-dependabot-with-github-actions.md | 4 ++++ .../using-the-dependency-submission-api.md | 2 +- .../coding-agent/extend-coding-agent-with-mcp.md | 1 + 15 files changed, 27 insertions(+), 2 deletions(-) diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md index af6e5903fab8..eae3aea58b49 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.md @@ -128,7 +128,8 @@ The `aws-actions/configure-aws-credentials` action receives a JWT from the {% da ```yaml copy # Sample workflow to access AWS resources when workflow is tied to branch -# The workflow Creates static website using aws s3 +# The workflow creates a static website using Amazon S3 +{% data reusables.actions.actions-not-certified-by-github-comment %} name: AWS example workflow on: push diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md index 28c625b7ef44..b0b18fa97c70 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure.md @@ -80,6 +80,7 @@ The following example exchanges an OIDC ID token with Azure to receive an access {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: Run Azure Login with OIDC on: [push] diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md index 26790096cb77..3be5346d0650 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform.md @@ -81,6 +81,7 @@ This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: List services in GCP on: pull_request: diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md index 563e03581872..e457e5358a20 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault.md @@ -128,6 +128,7 @@ This example demonstrates how to create a job that requests a secret from HashiC * `SECRET-PATH`: Replace this with the path to the secret you're retrieving from HashiCorp Vault. For example: `secret/data/production/ci npmToken`. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} jobs: retrieve-secret: runs-on: ubuntu-latest @@ -161,6 +162,7 @@ By default, the Vault server will automatically revoke access tokens when their 1. Add a step to call the [Revoke a Token (Self)](https://www.vaultproject.io/api/auth/token#revoke-a-token-self) Vault API to revoke the access token. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} jobs: retrieve-secret: runs-on: ubuntu-latest diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md index 17f0caad8509..4035faf000aa 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-jfrog.md @@ -58,6 +58,7 @@ The following example uses the placeholders `YOUR_PROVIDER_NAME` and `YOUR_AUDIE {% raw %} ```yaml +{% data reusables.actions.actions-not-certified-by-github-comment %} permissions: id-token: write contents: read @@ -91,6 +92,7 @@ jobs: {% raw %} ```yaml +{% data reusables.actions.actions-not-certified-by-github-comment %} - name: Sign in to Artifactory Docker registry uses: docker/login-action@v3 with: diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md index fa5bf119dd01..d9d35f617eff 100644 --- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md +++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi.md @@ -56,6 +56,7 @@ The [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi- The following example uses the `pypa/gh-action-pypi-publish` action to exchange an OIDC token for a PyPI API token, which is then used to upload a package's release distributions to PyPI. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} jobs: release-build: runs-on: ubuntu-latest diff --git a/content/actions/tutorials/build-and-test-code/java-with-gradle.md b/content/actions/tutorials/build-and-test-code/java-with-gradle.md index 2ee2805ae79d..0ce2a8f7610b 100644 --- a/content/actions/tutorials/build-and-test-code/java-with-gradle.md +++ b/content/actions/tutorials/build-and-test-code/java-with-gradle.md @@ -55,6 +55,7 @@ We recommend that you have a basic understanding of Java and the Gradle framewor If you don't find the "Java with Gradle" workflow template, copy the following workflow code to a new file called `gradle.yml` in the `.github/workflows` directory of your repository. ```yaml copy + {% data reusables.actions.actions-not-certified-by-github-comment %} name: Java CI with Gradle on: @@ -109,6 +110,7 @@ The workflow template will run the `build` task by default. In the default Gradl If you use different commands to build your project, or you want to use a different task, you can specify those. For example, you may want to run the `package` task that's configured in your `ci.gradle` file. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: {% data reusables.actions.action-checkout %} - uses: {% data reusables.actions.action-setup-java %} @@ -136,6 +138,7 @@ After your build has succeeded and your tests have passed, you may want to uploa Gradle will usually create output files like JARs, EARs, or WARs in the `build/libs` directory. You can upload the contents of that directory using the `upload-artifact` action. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: {% data reusables.actions.action-checkout %} - uses: {% data reusables.actions.action-setup-java %} diff --git a/content/actions/tutorials/build-and-test-code/java-with-maven.md b/content/actions/tutorials/build-and-test-code/java-with-maven.md index 0945c63e1450..16ad6533ad3a 100644 --- a/content/actions/tutorials/build-and-test-code/java-with-maven.md +++ b/content/actions/tutorials/build-and-test-code/java-with-maven.md @@ -55,6 +55,7 @@ We recommend that you have a basic understanding of Java and the Maven framework If you don't find the "Java with Maven" workflow template, copy the following workflow code to a new file called `maven.yml` in the `.github/workflows` directory of your repository. ```yaml copy + {% data reusables.actions.actions-not-certified-by-github-comment %} name: Java CI with Maven on: diff --git a/content/actions/tutorials/build-and-test-code/ruby.md b/content/actions/tutorials/build-and-test-code/ruby.md index 614e07723882..6b2142f1a6b2 100644 --- a/content/actions/tutorials/build-and-test-code/ruby.md +++ b/content/actions/tutorials/build-and-test-code/ruby.md @@ -49,6 +49,7 @@ We recommend that you have a basic understanding of Ruby, YAML, workflow configu If you don't find the "Ruby" workflow template, copy the following workflow code to a new file called `ruby.yml` in the `.github/workflows` directory of your repository. ```yaml copy + {% data reusables.actions.actions-not-certified-by-github-comment %} name: Ruby on: @@ -102,6 +103,7 @@ Using Ruby's `ruby/setup-ruby` action is the recommended way of using Ruby with The `setup-ruby` action takes a Ruby version as an input and configures that version on the runner. ```yaml +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: {% data reusables.actions.action-checkout %} - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1 @@ -170,6 +172,7 @@ jobs: The `setup-ruby` action will automatically install bundler for you. The version is determined by your `gemfile.lock` file. If no version is present in your lockfile, then the latest compatible version will be installed. ```yaml +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: {% data reusables.actions.action-checkout %} - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1 @@ -187,6 +190,7 @@ To enable caching, set the following. {% raw %} ```yaml +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: ruby/setup-ruby@ec02537da5712d66d4d50a0f33b7eb52773b5ed1 with: diff --git a/content/actions/tutorials/build-and-test-code/swift.md b/content/actions/tutorials/build-and-test-code/swift.md index 57c25848abdb..75cb76157e4c 100644 --- a/content/actions/tutorials/build-and-test-code/swift.md +++ b/content/actions/tutorials/build-and-test-code/swift.md @@ -127,6 +127,7 @@ You can configure your job to use a single specific version of Swift, such as `5 {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf with: @@ -142,6 +143,7 @@ steps: You can use the same commands that you use locally to build and test your code using Swift. This example demonstrates how to use `swift build` and `swift test` in a job: ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} steps: - uses: {% data reusables.actions.action-checkout %} - uses: swift-actions/setup-swift@65540b95f51493d65f5e59e97dcef9629ddf11bf diff --git a/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md b/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md index 0d428cd06f1d..b9065db4f03e 100644 --- a/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md +++ b/content/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom.md @@ -88,6 +88,7 @@ This example demonstrates using the `actions-sync` tool to sync an individual ac 1. After the action repository is created in your enterprise, people in your enterprise can use the destination repository to reference the action in their workflows. For the example action shown above: ```yaml + {% data reusables.actions.actions-not-certified-by-github-comment %} uses: synced-actions/actions-stale@v1 ``` diff --git a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md index 7af3d7da116d..f67bc94e67cd 100644 --- a/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md +++ b/content/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions.md @@ -55,6 +55,7 @@ To access a private container registry on AWS with a user name and password, a w In this example, when {% data variables.product.prodname_dependabot %} triggers the workflow, the {% data variables.product.prodname_dependabot %} secrets with the names `READONLY_AWS_ACCESS_KEY_ID` and `READONLY_AWS_ACCESS_KEY` are used. If another actor triggers the workflow, the actions secrets with those names are used. ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: CI on: pull_request: diff --git a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md index e381d6513875..8cf6baf132a5 100644 --- a/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md +++ b/content/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions.md @@ -53,6 +53,7 @@ Example: {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: Dependabot fetch metadata on: pull_request @@ -89,6 +90,7 @@ Example that flags all production dependency updates with a label: {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: Dependabot auto-label on: pull_request @@ -124,6 +126,7 @@ Example: {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: Dependabot auto-approve on: pull_request @@ -160,6 +163,7 @@ You can instead use {% data variables.product.prodname_actions %} and the {% dat {% raw %} ```yaml copy +{% data reusables.actions.actions-not-certified-by-github-comment %} name: Dependabot auto-merge on: pull_request diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md index 162532dbba67..26f89c77c7a0 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md @@ -50,7 +50,7 @@ If you have external tools which create or manage Software Bills of Materials (S For example, the following [SPDX Dependency Submission Action](https://github.com/marketplace/actions/spdx-dependency-submission-action) workflow calculates the dependencies for a repository, generates an exportable SBOM in SPDX 2.2 format, and submits it to the {% data variables.dependency-submission-api.name %}. ```yaml - +{% data reusables.actions.actions-not-certified-by-github-comment %} name: SBOM upload on: diff --git a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md index 826e7d476144..85e30cfffabe 100644 --- a/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md +++ b/content/copilot/how-tos/use-copilot-agents/coding-agent/extend-coding-agent-with-mcp.md @@ -208,6 +208,7 @@ To use the Azure DevOps MCP server with {% data variables.copilot.copilot_coding 1. Add an Azure login step to the `copilot-setup-steps` workflow job. ```yaml copy + {% data reusables.actions.actions-not-certified-by-github-comment %} on: workflow_dispatch: permissions: