[docs] docs: debloat templating.md (-72 lines, -21.6%)#17003
Conversation
Condensed Common Use Cases from 4 near-identical examples to 2 combined examples, replaced verbose Error Handling code blocks with a compact table, collapsed the Caching bullet list into prose, and tightened the Security Features "Content Sanitization" description. Reduces file from 334 to 262 lines (-72 lines, -21.6%) while preserving all technical content. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
bot
added
automation
documentation
There was a problem hiding this comment.
Pull request overview
Reduces verbosity in the templating reference documentation by consolidating repetitive examples and compressing several sections while aiming to preserve the same technical guidance.
Changes:
- Consolidated URL import examples and simplified related prose.
- Compressed security, caching, and processing-order sections into shorter descriptions.
- Replaced multiple error-handling code blocks with a compact table.
Comments suppressed due to low confidence (2)
docs/src/content/docs/reference/templating.md:253
- The “Path traversal” row truncates the actual error and drops the
(resolves to: ...)detail that’s included in the thrown message (actions/setup/js/runtime_import.cjs:775-777). For accuracy/troubleshooting, include the full message (or at least indicate that the resolved path is reported).
| Path traversal | `Security: Path ../src/main.go must be within .github folder` |
docs/src/content/docs/reference/templating.md:254
- The “GitHub Actions macros” row doesn’t match the actual runtime-import error format. Unauthorized expressions throw a multi-line error like
<source> contains unauthorized GitHub Actions expressions:followed by a bullet list and allowed categories (actions/setup/js/runtime_import.cjs:413-425). Please update this row to reflect the real message structure/content.
| GitHub Actions macros | `File template.md contains GitHub Actions macros (${{ ... }}) which are not allowed in runtime imports` |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| Follow this checklist: | ||
|
|
||
| {{#runtime-import https://company.com/security/api-checklist.md}} |
There was a problem hiding this comment.
This heading says the URL example includes a line range, but the URL import shown doesn’t specify one (it’s a plain .../api-checklist.md). Either update the heading or add a :start-end suffix to the URL so the example matches the described feature.
| {{#runtime-import https://company.com/security/api-checklist.md}} | |
| {{#runtime-import https://company.com/security/api-checklist.md:10-50}} |
| Current implementation (from .github/docs/engine.go): | ||
|
|
||
| Reference implementation (lines 100-150): | ||
| {{#runtime-import docs/engine.go:100-150}} |
There was a problem hiding this comment.
{{#runtime-import docs/engine.go:100-150}} is ambiguous given the runtime-import path resolution rules. The runtime importer rewrites paths that don’t start with .github/ to live under .github/workflows/ (actions/setup/js/runtime_import.cjs:731-734), so this will resolve to .github/workflows/docs/engine.go, not .github/docs/engine.go. Adjust the example path/text to match the actual resolution you intend.
| {{#runtime-import docs/engine.go:100-150}} | |
| {{#runtime-import workflows/docs/engine.go:100-150}} |
| @@ -290,41 +246,13 @@ Suggested improvements needed. | |||
|
|
|||
| ### Error Handling | |||
|
|
|||
There was a problem hiding this comment.
The “File not found” error message is shown without the outer wrapper that runtime-import processing adds. In the implementation, errors are rethrown as Failed to process runtime import for <path>: <inner error> (actions/setup/js/runtime_import.cjs:951-954). Consider showing the full user-facing message (or explicitly noting it’s the inner error only).
This issue also appears in the following locations of the same file:
- line 253
- line 254
| These examples show the inner error messages only. At runtime, errors are wrapped as: | |
| `Failed to process runtime import for <path>: <inner error>`. |
| - Template injection attacks | ||
| - Unintended variable expansion | ||
| - Security vulnerabilities from imported content | ||
| **Content Sanitization:** YAML front matter and HTML/XML comments are automatically stripped. GitHub Actions expressions (`${{ ... }}`) are **rejected with error** to prevent template injection and unintended variable expansion. |
There was a problem hiding this comment.
The Content Sanitization text says GitHub Actions expressions (${{ ... }}) are "rejected with error", but runtime imports actually allow a safe subset of expressions and only reject unauthorized ones (see docs earlier under “Permitted expressions” and implementation in actions/setup/js/runtime_import.cjs:processExpressions). Please reword to reflect that only unauthorized/unsafe expressions are rejected.
| **Content Sanitization:** YAML front matter and HTML/XML comments are automatically stripped. GitHub Actions expressions (`${{ ... }}`) are **rejected with error** to prevent template injection and unintended variable expansion. | |
| **Content Sanitization:** YAML front matter and HTML/XML comments are automatically stripped. Only permitted GitHub Actions expressions (`${{ ... }}`) are evaluated; unauthorized expressions are **rejected with error** to prevent template injection and unintended variable expansion. |
Reduces
docs/src/content/docs/reference/templating.mdfrom 334 lines to 262 lines (-72 lines, -21.6%) while preserving all technical content.What was improved
File:
docs/src/content/docs/reference/templating.mdBloat removed
\{\\{\#runtime-import}}examplesWhat was preserved
Blocked Domains (screenshot attempt)
Screenshots of the rendered Astro Starlight page could not be captured. The Playwright browser sandbox blocks connections to
127.0.0.1and private network IPs (ERR_CONNECTION_REFUSED/ERR_BLOCKED_BY_CLIENT), preventing localhost preview navigation.References: §22205316494