From 261751e6630b5cd13377e4a618df606493a1b3b7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 16 Mar 2026 04:30:54 +0000 Subject: [PATCH] docs: document local/dev-tools/default-safe-outputs ecosystem identifiers Add missing ecosystem identifiers to network.md reference table: - `local`: loopback addresses (localhost, 127.0.0.1, ::1) - `dev-tools`: CI/CD and developer tool service domains - `default-safe-outputs`: compound baseline (defaults + dev-tools + github + local) - Expand `github` description to list specific included domains Update safe-outputs.md to document ecosystem identifier support in `allowed-domains`, including examples and a note on `default-safe-outputs` as the recommended baseline for URL redaction. Co-Authored-By: Claude Sonnet 4.6 --- docs/src/content/docs/reference/network.md | 5 ++++- docs/src/content/docs/reference/safe-outputs.md | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/src/content/docs/reference/network.md b/docs/src/content/docs/reference/network.md index 5e8fc1761c..63df56a352 100644 --- a/docs/src/content/docs/reference/network.md +++ b/docs/src/content/docs/reference/network.md @@ -94,7 +94,10 @@ Mix ecosystem identifiers with specific domains for fine-grained control: | Identifier | Includes | |------------|----------| | `defaults` | Basic infrastructure (certificates, JSON schema, Ubuntu, package mirrors) | -| `github` | GitHub domains | +| `github` | GitHub domains (`github.com`, `docs.github.com`, `github.blog`, `*.githubusercontent.com`, and related) | +| `local` | Loopback addresses (`localhost`, `127.0.0.1`, `::1`) | +| `dev-tools` | Popular CI/CD and developer tool services (Codecov, Shields.io, Snyk, Renovate, CircleCI, etc.) | +| `default-safe-outputs` | Compound: `defaults` + `dev-tools` + `github` + `local` — recommended baseline for `safe-outputs.allowed-domains` | | `containers` | Docker Hub, GitHub Container Registry, Quay | | `linux-distros` | Debian, Alpine, and other Linux package repositories | | `dotnet`, `dart`, `go`, `haskell`, `java`, `julia`, `node`, `perl`, `php`, `python`, `ruby`, `rust`, `swift` | Language-specific package managers and registries | diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md index b38efc8867..a3ef9091a2 100644 --- a/docs/src/content/docs/reference/safe-outputs.md +++ b/docs/src/content/docs/reference/safe-outputs.md @@ -1425,7 +1425,21 @@ safe-outputs: allowed-github-references: [] # Escape all GitHub references ``` -**Domain Filtering** (`allowed-domains`): Controls which domains are allowed in URLs. URLs from other domains are replaced with `(redacted)`. +**Domain Filtering** (`allowed-domains`): Controls which domains are allowed in URLs. URLs from other domains are replaced with `(redacted)`. Accepts specific domain strings or [ecosystem identifiers](/gh-aw/reference/network/#ecosystem-identifiers): + +```yaml wrap +safe-outputs: + # Allow specific domains + allowed-domains: [api.example.com, "*.storage.example.com"] + + # Use ecosystem identifiers + allowed-domains: [default-safe-outputs] # defaults + dev-tools + github + local + + # Mix identifiers and custom domains + allowed-domains: [default-safe-outputs, api.example.com] +``` + +The `default-safe-outputs` compound ecosystem is the recommended baseline — it covers infrastructure certificates (`defaults`), GitHub domains (`github`), popular developer tooling (`dev-tools`), and loopback addresses (`local`). **Reference Escaping** (`allowed-github-references`): Controls which GitHub repository references (`#123`, `owner/repo#456`) are allowed in workflow output. When configured, references to unlisted repositories are escaped with backticks to prevent GitHub from creating timeline items. This is particularly useful for [SideRepoOps](/gh-aw/patterns/side-repo-ops/) workflows to prevent automation from cluttering your main repository's timeline.