-
Notifications
You must be signed in to change notification settings - Fork 252
[docs] docs: debloat templating.md (-72 lines, -21.6%) #17003
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -171,33 +171,18 @@ Analyze issue #${{ github.event.issue.number }}. | |||||||||
|
|
||||||||||
| ### URL Imports | ||||||||||
|
|
||||||||||
| The macro syntax supports HTTP/HTTPS URLs. Fetched content is **cached for 1 hour** to reduce network requests. URLs are **not restricted to `.github` folder** - you can fetch any public URL. | ||||||||||
|
|
||||||||||
| **Macro syntax:** | ||||||||||
| The macro syntax supports HTTP/HTTPS URLs. URLs are **not restricted to `.github` folder** and content is cached for 1 hour. | ||||||||||
|
|
||||||||||
| ```aw wrap | ||||||||||
| {{#runtime-import https://raw.githubusercontent.com/org/repo/main/checklist.md}} | ||||||||||
| ``` | ||||||||||
|
|
||||||||||
| **URL with line range:** | ||||||||||
|
|
||||||||||
| ```aw wrap | ||||||||||
| {{#runtime-import https://example.com/standards.md:10-50}} | ||||||||||
| ``` | ||||||||||
|
|
||||||||||
| ### Security Features | ||||||||||
|
|
||||||||||
| All runtime imports include automatic security protections: | ||||||||||
|
|
||||||||||
| **Content Sanitization:** | ||||||||||
| - YAML front matter is automatically removed | ||||||||||
| - HTML/XML comments are stripped | ||||||||||
| - GitHub Actions expressions (`${{ ... }}`) are **rejected with error** | ||||||||||
| All runtime imports include automatic security protections. | ||||||||||
|
|
||||||||||
| This prevents: | ||||||||||
| - Template injection attacks | ||||||||||
| - Unintended variable expansion | ||||||||||
| - Security vulnerabilities from imported content | ||||||||||
| **Content Sanitization:** YAML front matter and HTML/XML comments are automatically stripped. GitHub Actions expressions (`${{ ... }}`) are **rejected with error** to prevent template injection and unintended variable expansion. | ||||||||||
|
|
||||||||||
| **Path Validation:** | ||||||||||
|
|
||||||||||
|
|
@@ -215,27 +200,19 @@ File paths are **restricted to the `.github` folder** to prevent access to arbit | |||||||||
|
|
||||||||||
| ### Caching | ||||||||||
|
|
||||||||||
| **URL caching** reduces network overhead: | ||||||||||
| - Cache location: `/tmp/gh-aw/url-cache/` | ||||||||||
| - Cache duration: 1 hour | ||||||||||
| - Cache key: SHA256 hash of URL | ||||||||||
| - Cache scope: Per workflow run (ephemeral) | ||||||||||
|
|
||||||||||
| First URL fetch adds latency (~500ms-2s), subsequent accesses use cached content. | ||||||||||
| Fetched URLs are cached for 1 hour per workflow run at `/tmp/gh-aw/url-cache/` (keyed by SHA256 hash). The first fetch adds ~500ms–2s latency; subsequent accesses use cached content. | ||||||||||
|
|
||||||||||
| ### Processing Order | ||||||||||
|
|
||||||||||
| Runtime imports are processed as part of the overall templating pipeline: | ||||||||||
| Runtime imports are processed before other substitutions: | ||||||||||
|
|
||||||||||
| ``` | ||||||||||
| 1. {{#runtime-import}} macros processed (files and URLs) | ||||||||||
| 2. ${GH_AW_EXPR_*} variable interpolation | ||||||||||
| 3. {{#if}} template conditionals rendered | ||||||||||
| ``` | ||||||||||
| 1. `{{#runtime-import}}` macros processed (files and URLs) | ||||||||||
| 2. `${GH_AW_EXPR_*}` variable interpolation | ||||||||||
| 3. `{{#if}}` template conditionals rendered | ||||||||||
|
|
||||||||||
| ### Common Use Cases | ||||||||||
|
|
||||||||||
| **1. Shared coding standards:** | ||||||||||
| **Shared instructions from a file:** | ||||||||||
|
|
||||||||||
| ```aw wrap | ||||||||||
| # Code Review Agent | ||||||||||
|
|
@@ -246,38 +223,17 @@ Runtime imports are processed as part of the overall templating pipeline: | |||||||||
| Review the pull request changes. | ||||||||||
| ``` | ||||||||||
|
|
||||||||||
| **2. External security checklists:** | ||||||||||
| **External content from a URL, with line range:** | ||||||||||
|
|
||||||||||
| ```aw wrap | ||||||||||
| # Security Audit | ||||||||||
|
|
||||||||||
| Follow this checklist: | ||||||||||
|
|
||||||||||
| {{#runtime-import https://company.com/security/api-checklist.md}} | ||||||||||
|
||||||||||
| {{#runtime-import https://company.com/security/api-checklist.md}} | |
| {{#runtime-import https://company.com/security/api-checklist.md:10-50}} |
Copilot
AI
Feb 20, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{#runtime-import docs/engine.go:100-150}} is ambiguous given the runtime-import path resolution rules. The runtime importer rewrites paths that don’t start with .github/ to live under .github/workflows/ (actions/setup/js/runtime_import.cjs:731-734), so this will resolve to .github/workflows/docs/engine.go, not .github/docs/engine.go. Adjust the example path/text to match the actual resolution you intend.
| {{#runtime-import docs/engine.go:100-150}} | |
| {{#runtime-import workflows/docs/engine.go:100-150}} |
Copilot
AI
Feb 20, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The “File not found” error message is shown without the outer wrapper that runtime-import processing adds. In the implementation, errors are rethrown as Failed to process runtime import for <path>: <inner error> (actions/setup/js/runtime_import.cjs:951-954). Consider showing the full user-facing message (or explicitly noting it’s the inner error only).
This issue also appears in the following locations of the same file:
- line 253
- line 254
| These examples show the inner error messages only. At runtime, errors are wrapped as: | |
| `Failed to process runtime import for <path>: <inner error>`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Content Sanitization text says GitHub Actions expressions (
${{ ... }}) are "rejected with error", but runtime imports actually allow a safe subset of expressions and only reject unauthorized ones (see docs earlier under “Permitted expressions” and implementation in actions/setup/js/runtime_import.cjs:processExpressions). Please reword to reflect that only unauthorized/unsafe expressions are rejected.