Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows
What part(s) of the article would you like to see updated?
The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.
My understanding is that this only applies to jobs running on self-hosted runners.
As per https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners, GHA-hosted runners use a fresh VM for each job. So "shared directory" and "Docker socket" are not a thing for GHA-hosted runners.
Additional information
No response
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#reusing-third-party-workflows
What part(s) of the article would you like to see updated?
My understanding is that this only applies to jobs running on self-hosted runners.
As per https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners, GHA-hosted runners use a fresh VM for each job. So "shared directory" and "Docker socket" are not a thing for GHA-hosted runners.
Additional information
No response