# known-safe-contexts.txt
# one per line, comment lines begin with #

# The action path is always safe.
github.action_path

# The GitHub event name (i.e. trigger) is itself safe.
github.event_name

# hexadecimal SHA refs
github.event.after
github.event.before
github.event.merge_group.base_sha
github.event.pull_request.base.sha
github.event.pull_request.head.sha

# Corresponds to the job ID which is workflow-controlled
# but can only be [A-Za-z0-9-_].
# See: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_id
github.job

# Information about the GitHub repository
github.repository
github.repository_id
github.repositoryurl

# Information about the GitHub repository owner (account/org or ID)
github.repository_owner
github.repository_owner_id

# Unique numbers assigned by GitHub for workflow runs
github.run_attempt
github.run_id
github.run_number

# Typically something like `https://github.com`; you have bigger problems if
# this is attacker-controlled.
github.server_url

# Always a 40-char SHA-1 reference.
github.sha

# Like `secrets.*`: not safe to expose but safe to interpolate.
github.token

# GitHub Actions-controlled local directory.
github.workspace

# runner contexts
# GitHub Actions-controller runner architecture.
runner.arch
# Debug logging is (1) or is not (0) enabled on GitHub Actions runner.
runner.debug
# GitHub Actions runner operating system.
runner.os
# GitHub Actions temporary directory value controlled by the runner itself.
runner.temp
# GitHub Actions cached tool directory value controlled by the runner itself.
runner.tool_cache
