Skip to content

Clarify runtime-import path validation examples in templating docs#16133

Merged
pelikhan merged 2 commits intomainfrom
copilot/update-templating-docs-examples
Feb 16, 2026
Merged

Clarify runtime-import path validation examples in templating docs#16133
pelikhan merged 2 commits intomainfrom
copilot/update-templating-docs-examples

Conversation

Copy link
Contributor

Copilot AI commented Feb 16, 2026
edited
Loading

The runtime-import path validation documentation showed two relative traversal examples (different depths) as invalid paths, obscuring that absolute paths are also rejected.

Changes

Updated docs/src/content/docs/reference/templating.md:

  • Path Validation section: Changed second invalid example from ../../etc/passwd (relative traversal) to /etc/passwd (absolute path)
  • Error Handling section: Split single example into two distinct cases with labels:
    • Relative traversal: ../src/main.go
    • Absolute path: /etc/passwd

The examples now map directly to the two validation conditions in runtime_import.cjs:

if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
  throw new Error(`Security: Path ${filepathOrUrl} must be within .github folder`);
}
Original prompt

This section details on the original issue you should resolve

<issue_title>[deep-report] Clarify runtime-import path validation examples in templating docs</issue_title>
<issue_description>### Description
User Experience Analysis recommends improving docs/src/content/docs/reference/templating.md to distinguish invalid runtime-import paths (relative traversal vs absolute paths) rather than repeating identical error examples. Update the examples to show distinct failure cases.

Expected Impact

Reduces user confusion and improves clarity of security constraints for runtime imports.

Suggested Agent

Documentation Agent

Estimated Effort

Fast (< 30 min)

Data Source

DeepReport Intelligence Briefing - 2026-02-16 (User Experience Analysis, discussion #16093)

Generated by DeepReport - Intelligence Gathering Agent

  • expires on Feb 18, 2026, 3:28 PM UTC

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@pelikhan
docs: clarify runtime-import path validation with distinct examples
c35ed8a 
Update templating.md to show two distinct security violation cases:
- Relative traversal (../) attempting to escape .github folder
- Absolute paths (/etc/passwd) which are not allowed

Previously both examples were relative traversal with different depths.
This improves clarity of security constraints for users.

Fixes #16093

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Clarify runtime-import path validation examples in templating docs Clarify runtime-import path validation examples in templating docs Feb 16, 2026
Copilot AI requested a review from pelikhan February 16, 2026 15:48
@pelikhan pelikhan marked this pull request as ready for review February 16, 2026 15:49
Copilot AI review requested due to automatic review settings February 16, 2026 15:49
@pelikhan pelikhan merged commit a0065c6 into main Feb 16, 2026
57 checks passed
@pelikhan pelikhan deleted the copilot/update-templating-docs-examples branch February 16, 2026 15:49
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR clarifies the runtime-import path validation documentation by providing distinct examples for the two types of invalid paths that are rejected by the security validation logic. Previously, both invalid examples showed relative path traversal at different depths, obscuring the fact that absolute paths are also rejected.

Changes:

  • Updated Path Validation section to show one relative traversal example (../src/config.go) and one absolute path example (/etc/passwd)
  • Enhanced Error Handling section by splitting a single example into two labeled cases with distinct error scenarios
  • Aligned examples with the two validation conditions in runtime_import.cjs: relativePath.startsWith("..") OR path.isAbsolute(relativePath)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deep-report] Clarify runtime-import path validation examples in templating docs

3 participants

@pelikhan