Add disclaimer + improve security for third party actions (#20227)

Author: skedwards88

content/actions/guides/adding-labels-to-issues.md

@@ -16,6 +16,7 @@ topics:
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
 {% data reusables.actions.ae-self-hosted-runners-notice %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -30,6 +31,8 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l
 3. Copy the following YAML contents into your workflow file.
 
     ```yaml{:copy}
+{% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}
+
     name: Label issues
     on:
       issues:
@@ -43,7 +46,7 @@ In the tutorial, you will first make a workflow file that uses the [`andymckay/l
           issues: write{% endif %}
         steps:
           - name: Label issues
-            uses: andymckay/labeler@1.0.2
+            uses: andymckay/labeler@5c59dabdfd4dd5bd9c6e6d255b01b9d764af4414
             with:
               add-labels: "triage"
               repo-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}

content/actions/guides/building-and-testing-java-with-gradle.md

@@ -19,6 +19,7 @@ shortTitle: Build & test Java & Gradle
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -47,8 +48,9 @@ To get started quickly, you can choose the preconfigured Gradle template when yo
 
 You can also add this workflow manually by creating a new file in the `.github/workflows` directory of your repository.
 
-{% raw %}
 ```yaml{:copy}
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Java CI
 
 on: [push]
@@ -65,11 +67,10 @@ jobs:
           java-version: '11'
           distribution: 'adopt'
       - name: Validate Gradle wrapper
-        uses: gradle/wrapper-validation-action@v1
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
       - name: Build with Gradle
         run: ./gradlew build
 ```
-{% endraw %}
 
 This workflow performs the following steps:
 
@@ -101,7 +102,7 @@ steps:
       java-version: '11'
       distribution: 'adopt'
   - name: Validate Gradle wrapper
-    uses: gradle/wrapper-validation-action@v1
+    uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
   - name: Run the Gradle package task
     run: ./gradlew -b ci.gradle package
 ```
@@ -121,7 +122,7 @@ steps:
       java-version: '11'
       distribution: 'adopt'
   - name: Validate Gradle wrapper
-    uses: gradle/wrapper-validation-action@v1
+    uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
   - name: Cache Gradle packages
     uses: actions/cache@v2
     with:
@@ -159,7 +160,7 @@ steps:
       java-version: '11'
       distribution: 'adopt'
   - name: Validate Gradle wrapper
-    uses: gradle/wrapper-validation-action@v1
+    uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
   - run: ./gradlew build
   - uses: actions/upload-artifact@v2
     with:

content/actions/guides/building-and-testing-python.md

@@ -18,6 +18,7 @@ shortTitle: Build & test Python
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -402,12 +403,8 @@ You can configure your workflow to publish your Python package to a package regi
 
 For this example, you will need to create two [PyPI API tokens](https://pypi.org/help/#apitoken). You can use secrets to store the access tokens or credentials needed to publish your package. For more information, see "[Creating and using encrypted secrets](/github/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)."
 
-{% raw %}
 ```yaml{:copy}
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 
 name: Upload Python Package
 
@@ -434,8 +431,7 @@ jobs:
         uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
         with:
           user: __token__
-          password: ${{ secrets.PYPI_API_TOKEN }}
+          password: {% raw %}${{ secrets.PYPI_API_TOKEN }}{% endraw %}
 ```
-{% endraw %}
 
 For more information about the template workflow, see [`python-publish`](https://github.com/actions/starter-workflows/blob/main/ci/python-publish.yml).

content/actions/guides/building-and-testing-ruby.md

@@ -15,6 +15,7 @@ topics:
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -33,8 +34,9 @@ We recommend that you have a basic understanding of Ruby, YAML, workflow configu
 
 To get started quickly, add the template to the `.github/workflows` directory of your repository. The workflow shown below assumes that the default branch for your repository is `main`.
 
-{% raw %}
 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Ruby
 
 on:
@@ -51,15 +53,14 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
         with:
           ruby-version: 2.6
       - name: Install dependencies
         run: bundle install
       - name: Run tests
         run: bundle exec rake
 ```
-{% endraw %}
 
 ## Specifying the Ruby version
 
@@ -73,7 +74,7 @@ The `setup-ruby` action takes a Ruby version as an input and configures that ver
 ```yaml
 steps:
 - uses: actions/checkout@v2
-- uses: ruby/setup-ruby@v1
+- uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
   with:
     ruby-version: 2.6 # Not needed with a .ruby-version file
 - run: bundle install
@@ -99,8 +100,9 @@ Each version of Ruby specified in the `ruby-version` array creates a job that ru
 
 The full updated workflow with a matrix strategy could look like this:
 
-{% raw %}
 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Ruby CI
 
 on:
@@ -120,16 +122,15 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: Set up Ruby ${{ matrix.ruby-version }}
-        uses: ruby/setup-ruby@v1
+      - name: {% raw %}Set up Ruby ${{ matrix.ruby-version }}{% endraw %}
+        uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
         with:
-          ruby-version: ${{ matrix.ruby-version }}
+          ruby-version: {% raw %}${{ matrix.ruby-version }}{% endraw %}
       - name: Install dependencies
         run: bundle install
       - name: Run tests
         run: bundle exec rake
 ```
-{% endraw %}
 
 ## Installing dependencies with Bundler
 
@@ -139,7 +140,7 @@ The `setup-ruby` action will automatically install bundler for you. The version
 ```yaml
 steps:
 - uses: actions/checkout@v2
-- uses: ruby/setup-ruby@v1
+- uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
   with:
     ruby-version: 2.6
 - run: bundle install
@@ -155,7 +156,7 @@ To enable caching, set the following.
 {% raw %}
 ```yaml
 steps:
-- uses: ruby/setup-ruby@v1
+- uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
     with:
       bundler-cache: true
 ```
@@ -205,8 +206,9 @@ steps:
 
 The following example matrix tests all stable releases and head versions of MRI, JRuby and TruffleRuby on Ubuntu and macOS.
 
-{% raw %}
 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Matrix Testing
 
 on:
@@ -217,29 +219,29 @@ on:
 
 jobs:
   test:
-    runs-on: ${{ matrix.os }}-latest
+    runs-on: {% raw %}${{ matrix.os }}-latest{% endraw %}
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu, macos]
         ruby: [2.5, 2.6, 2.7, head, debug, jruby, jruby-head, truffleruby, truffleruby-head]
-    continue-on-error: ${{ endsWith(matrix.ruby, 'head') || matrix.ruby == 'debug' }}
+    continue-on-error: {% raw %}${{ endsWith(matrix.ruby, 'head') || matrix.ruby == 'debug' }}{% endraw %}
     steps:
       - uses: actions/checkout@v2
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
         with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: {% raw %}${{ matrix.ruby }}{% endraw %}
       - run: bundle install
       - run: bundle exec rake
 ```
-{% endraw %}
 
 ## Linting your code
 
 The following example installs `rubocop` and uses it to lint all files. For more information, see [Rubocop](https://github.com/rubocop-hq/rubocop). You can [configure Rubocop](https://docs.rubocop.org/rubocop/configuration.html) to decide on the specific linting rules.
 
-{% raw %}
 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Linting
 
 on: [push]
@@ -249,14 +251,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
         with:
           ruby-version: 2.6
       - run: bundle install
       - name: Rubocop
         run: rubocop
 ```
-{% endraw %}
 
 ## Publishing Gems
 
@@ -265,6 +266,7 @@ You can configure your workflow to publish your Ruby package to any package regi
 You can store any access tokens or credentials needed to publish your package using repository secrets. The following example creates and publishes a package to `GitHub Package Registry` and `RubyGems`.
 
 ```yaml
+{% data reusables.actions.actions-not-certified-by-github-comment %}
 
 name: Ruby Gem
 
@@ -288,7 +290,7 @@ jobs:
     steps:{% raw %}
       - uses: actions/checkout@v2
       - name: Set up Ruby 2.6
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
         with:
           ruby-version: 2.6
       - run: bundle install

content/actions/guides/building-and-testing-swift.md

@@ -16,6 +16,7 @@ shortTitle: Build & test Swift
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -68,31 +69,31 @@ The examples below demonstrate using the `fwal/setup-swift` action.
 
 You can configure your job to use a multiple versions of Swift in a build matrix.
 
-{% raw %}
 ```yaml{:copy}
+{% data reusables.actions.actions-not-certified-by-github-comment %}
+
 name: Swift
 
 on: [push]
 
 jobs:
   build:
-    name: Swift ${{ matrix.swift }} on ${{ matrix.os }}
+    name: {% raw %}Swift ${{ matrix.swift }} on ${{ matrix.os }}{% endraw %}
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
         swift: ["5.2", "5.3"]
-    runs-on: ${{ matrix.os }}
+    runs-on: {% raw %}${{ matrix.os }}{% endraw %}
     steps:
-      - uses: fwal/setup-swift@v1
+      - uses: fwal/setup-swift@d43a564349d1341cd990cfbd70d94d63b8899475
         with:
-          swift-version: ${{ matrix.swift }}
-      - uses: actions/checkout@v2
+          swift-version: {% raw %}${{ matrix.swift }}{% endraw %}
+      - uses: actions/checkout@
       - name: Build
         run: swift build
       - name: Run tests
         run: swift test
 ```
-{% endraw %}
 
 ### Using a single specific Swift version
 
@@ -101,7 +102,7 @@ You can configure your job to use a single specific version of Swift, such as `5
 {% raw %}
 ```yaml{:copy}
 steps:
-  - uses: fwal/setup-swift@v1
+  - uses: fwal/setup-swift@d43a564349d1341cd990cfbd70d94d63b8899475
     with:
       swift-version: "5.3.3"
   - name: Get swift version
@@ -117,7 +118,7 @@ You can use the same commands that you use locally to build and test your code u
 ```yaml{:copy}
 steps:
   - uses: actions/checkout@v2
-  - uses: fwal/setup-swift@v1
+  - uses: fwal/setup-swift@d43a564349d1341cd990cfbd70d94d63b8899475
     with:
       swift-version: "5.3.3"
   - name: Build

content/actions/guides/commenting-on-an-issue-when-a-label-is-added.md

@@ -17,6 +17,7 @@ shortTitle: Add label to comment on issue
 {% data reusables.actions.enterprise-github-hosted-runners %}
 {% data reusables.actions.ae-beta %}
 {% data reusables.actions.ae-self-hosted-runners-notice %}
+{% data reusables.actions.actions-not-certified-by-github-note %}
 
 ## Introduction
 
@@ -31,6 +32,8 @@ In the tutorial, you will first make a workflow file that uses the [`peter-evans
 3. Copy the following YAML contents into your workflow file.
 
     ```yaml{:copy}
+{% indented_data_reference reusables.actions.actions-not-certified-by-github-comment spaces=4 %}
+
     name: Add comment
     on:
       issues:
@@ -44,7 +47,7 @@ In the tutorial, you will first make a workflow file that uses the [`peter-evans
           issues: write{% endif %}
         steps:
           - name: Add comment
-            uses: peter-evans/create-or-update-comment@v1
+            uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae
             with:
               issue-number: {% raw %}${{ github.event.issue.number }}{% endraw %}
               body: |