From 2861a7159961a6d26adf6b3cfdd83879b4e94afe Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 20 Mar 2026 00:04:55 +0000 Subject: [PATCH] docs: remove redundant content from templating.md - Condense Runtime Imports intro (remove duplicate macro-supports list) - Simplify Path Validation section (remove valid-path examples already shown in Macro Syntax) - Remove Common Use Cases section (examples already covered in Macro Syntax and URL Imports sections) Co-Authored-By: Claude Sonnet 4.6 --- docs/src/content/docs/reference/templating.md | 51 ++----------------- 1 file changed, 4 insertions(+), 47 deletions(-) diff --git a/docs/src/content/docs/reference/templating.md b/docs/src/content/docs/reference/templating.md index 8aad584cbd..cfb9b2fbfc 100644 --- a/docs/src/content/docs/reference/templating.md +++ b/docs/src/content/docs/reference/templating.md @@ -98,17 +98,7 @@ The template system supports only basic conditionals - no nesting, `else` clause ## Runtime Imports -Runtime imports allow you to include content from files and URLs directly within your workflow prompts **at runtime** during GitHub Actions execution. This differs from [frontmatter imports](/gh-aw/reference/imports/) which are processed at compile-time. - -**Security Note:** File imports are **restricted to the `.github` folder** in your repository. This ensures workflow configurations cannot access arbitrary files in your codebase. - -Runtime imports use the macro syntax: `{{#runtime-import filepath}}` - -The macro supports: -- Line range extraction (e.g., `:10-20` for lines 10-20) -- URL fetching with automatic caching -- Content sanitization (front matter removal, macro detection) -- Automatic `.github/` prefix handling +Runtime imports include content from files and URLs in workflow prompts **at runtime** (unlike [compile-time imports](/gh-aw/reference/imports/)). File paths are restricted to the `.github` folder. Use `{{#runtime-import filepath}}` or `{{#runtime-import? filepath}}` for optional imports. ### Macro Syntax @@ -169,18 +159,11 @@ All runtime imports include automatic security protections. **Content Sanitization:** YAML front matter and HTML/XML comments are automatically stripped. GitHub Actions expressions (`${{ ... }}`) are **rejected with error** to prevent template injection and unintended variable expansion. -**Path Validation:** - -File paths are **restricted to the `.github` folder** to prevent access to arbitrary repository files: +**Path Validation:** File paths are restricted to the `.github` folder to prevent access to arbitrary repository files. Path traversal and absolute paths are rejected: ```aw wrap -# ✅ Valid - Files in .github folder -{{#runtime-import shared-instructions.md}} # Loads .github/shared-instructions.md -{{#runtime-import .github/shared-instructions.md}} # Same - .github/ prefix is trimmed - -# ❌ Invalid - Security violations -{{#runtime-import ../src/config.go}} # Error: Relative traversal outside .github -{{#runtime-import /etc/passwd}} # Error: Absolute path not allowed +{{#runtime-import ../src/config.go}} # Error: Relative traversal outside .github +{{#runtime-import /etc/passwd}} # Error: Absolute path not allowed ``` ### Caching @@ -195,32 +178,6 @@ Runtime imports are processed before other substitutions: 2. `${GH_AW_EXPR_*}` variable interpolation 3. `{{#if}}` template conditionals rendered -### Common Use Cases - -**Shared instructions from a file:** - -```aw wrap -# Code Review Agent - -{{#runtime-import workflows/shared/review-standards.md}} - - -Review the pull request changes. -``` - -**External content from a URL, with line range:** - -```aw wrap -# Security Audit - -Follow this checklist: - -{{#runtime-import https://company.com/security/api-checklist.md}} - -Reference implementation (lines 100-150): -{{#runtime-import docs/engine.go:100-150}} -``` - ### Limitations - **`.github` folder only:** File paths are restricted to `.github` folder for security