[docs] Update documentation for security features from 2025-11-02

[github-actions]

Documentation Updates - 2025-11-02

This PR updates the documentation based on security features merged in the last 24 hours.

Features Documented

• Fork filtering for pull_request triggers - Default deny-by-default behavior and forks field configuration (from Change default fork behavior for pull_request triggers to deny-by-default #2970)
• workflow_run trigger security - Automatic repository validation and branch restriction requirements (from Add repository ID check to workflow_run triggers to prevent cross-repo execution #2960, Add workflow_run branch restriction validation (warning in normal mode, error in strict mode) #2963)
• Manual approval gates - manual-approval field for environment-gated workflows (from Add manual-approval field to on section for environment-gated workflows #2959)

Changes Made

• docs/src/content/docs/guides/security.md

  • Added "Fork Protection for Pull Request Triggers" section documenting the new default deny-by-default behavior and forks field patterns
  • Added "workflow_run Trigger Security" section explaining automatic repository ID validation and branch restriction requirements
  • Updated "Human in the Loop" section with manual-approval configuration example and link to detailed docs

• docs/src/content/docs/reference/triggers.md

  • Added "Fork Filtering (forks:)" subsection under Pull Request Triggers with configuration patterns and security implications
  • Added new "Workflow Run Triggers (workflow_run:)" section with security protections documentation
  • Added "Manual Approval Gates (manual-approval:)" section explaining environment-based approval workflow

• docs/src/content/docs/reference/frontmatter.md

  • Updated "Trigger Events (on:)" section to list additional fields: reaction, stop-after, manual-approval, and forks

Merged PRs Referenced

• Change default fork behavior for pull_request triggers to deny-by-default #2970 - Change default fork behavior for pull_request triggers to deny-by-default
• Add repository ID check to workflow_run triggers to prevent cross-repo execution #2960 - Add repository ID check to workflow_run triggers to prevent cross-repo execution
• Add workflow_run branch restriction validation (warning in normal mode, error in strict mode) #2963 - Add workflow_run branch restriction validation (warning in normal mode, error in strict mode)
• Add manual-approval field to on section for environment-gated workflows #2959 - Add manual-approval field to on section for environment-gated workflows

Documentation Standards

All changes follow the Diátaxis framework guidelines:

• Used reference format for technical descriptions in frontmatter and triggers docs
• Used explanation format for security implications in security guide
• Maintained neutral, technical tone throughout
• Used proper markdown heading syntax
• Included cross-references between related sections
• Kept examples minimal and focused

Notes

The documentation focuses on user-facing security features that affect workflow configuration. Internal implementation changes in PRs #2961, #2962, #2935, #2944, #2946, and #2947 do not require user documentation updates as they improve internal code quality without changing the user-facing API.

🤖 Generated with Claude Code

AI generated by Daily Documentation Updater