Document firewall sandbox exclusion for custom steps, jobs, and hybrid workflows

[Copilot]

Custom steps, post-steps, and custom jobs execute outside the firewall sandbox with standard GitHub Actions security only. Users may mistakenly run agentic compute in these contexts, bypassing network egress controls.

Changes

• reference/frontmatter.md: Added [!CAUTION] alerts to Custom Steps, Post-Execution Steps, and Custom Jobs sections
• guides/deterministic-agentic-patterns.md: Added [!CAUTION] alert at document start, [!WARNING] in Architecture section with diagram context, and security note in Best Practices

Security Boundary

> [!CAUTION]
> Security Notice: Custom steps run OUTSIDE the firewall sandbox. These steps 
> execute with standard GitHub Actions security but do NOT have the network 
> egress controls that protect the agent job. Do not run agentic compute or 
> untrusted AI execution in custom steps—use them only for deterministic data 
> preparation, preprocessing, or filtering.

All warnings specify:

• Run location (OUTSIDE firewall)
• Security model (standard GitHub Actions, not enhanced)
• Appropriate use (deterministic operations only)
• Prohibited use (no agentic compute)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

In the documentation about steps and jobs and hybrid computations, make it clear that these do NOT run under the firewall. It is not recommend to run any agentic compute in these steps.

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds critical security documentation clarifying that custom steps, post-execution steps, and custom jobs execute outside the firewall sandbox with only standard GitHub Actions security. This is important because users could mistakenly run agentic compute in these contexts, bypassing network egress controls.

Changes:

• Added CAUTION alerts to Custom Steps, Post-Execution Steps, and Custom Jobs sections in the frontmatter reference documentation
• Added comprehensive security warnings in the Deterministic & Agentic Patterns guide at the document start, in the Architecture section, and in Best Practices
• Fixed incorrect CLI command link reference

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
docs/src/content/docs/setup/creating-workflows.mdx	Fixed broken link to CLI run command documentation
docs/src/content/docs/reference/frontmatter.md	Added CAUTION alerts to Custom Steps, Post-Execution Steps, and Custom Jobs sections warning they run outside firewall sandbox
docs/src/content/docs/guides/deterministic-agentic-patterns.md	Added CAUTION at document start, WARNING in Architecture section with diagram context, and security note in Best Practices

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.