From 77c108fdb81cd377307b3e7cf6a804b70c42b719 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 15:43:21 +0000
Subject: [PATCH 1/2] Initial plan


From c35ed8a03f167094a69227a9ee6a4cf8a9c1787d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 15:46:52 +0000
Subject: [PATCH 2/2] docs: clarify runtime-import path validation with
 distinct examples

Update templating.md to show two distinct security violation cases:
- Relative traversal (../) attempting to escape .github folder
- Absolute paths (/etc/passwd) which are not allowed

Previously both examples were relative traversal with different depths.
This improves clarity of security constraints for users.

Fixes #16093

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 docs/src/content/docs/reference/templating.md | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/docs/src/content/docs/reference/templating.md b/docs/src/content/docs/reference/templating.md
index acad6b50324..6014535594f 100644
--- a/docs/src/content/docs/reference/templating.md
+++ b/docs/src/content/docs/reference/templating.md
@@ -177,9 +177,9 @@ File paths are **restricted to the `.github` folder** to prevent access to arbit
 {{#runtime-import shared-instructions.md}}           # Loads .github/shared-instructions.md
 {{#runtime-import .github/shared-instructions.md}}  # Same - .github/ prefix is trimmed
 
-# ❌ Invalid - Attempts to escape .github folder
-{{#runtime-import ../src/config.go}}                # Error: Must be within .github folder
-{{#runtime-import ../../etc/passwd}}                # Error: Must be within .github folder
+# ❌ Invalid - Security violations
+{{#runtime-import ../src/config.go}}                # Error: Relative traversal outside .github
+{{#runtime-import /etc/passwd}}                     # Error: Absolute path not allowed
 ```
 
 ### Caching
@@ -272,10 +272,14 @@ Runtime import file not found: missing.txt
 Invalid start line 100 for file docs/main.go (total lines: 50)
 ```
 
-**Path security violation:**
+**Path security violations:**
 
 ```
-Security: Path ../../../etc/passwd must be within .github folder
+# Relative traversal
+Security: Path ../src/main.go must be within .github folder (resolves to: ../src/main.go)
+
+# Absolute path
+Security: Path /etc/passwd must be within .github folder (resolves to: /etc/passwd)
 ```
 
 **GitHub Actions macros detected:**