Add warning about GitHub Connect behavior with Actions (github#18771)

chrispat · yaananth · Sarah Edwards · web-flow · commit 2bba3c702961 · 2021-04-16T19:26:10.000Z
Co-authored-by: Yashwanth Anantharaju &lt;yaananth@users.noreply.github.com&gt;
Co-authored-by: Sarah Edwards &lt;skedwards88@github.com&gt;
diff --git a/content/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect.md b/content/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect.md
@@ -13,6 +13,7 @@ topics:
 
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
+{% data reusables.actions.enterprise-github-connect-warning %}
 {% data reusables.actions.ae-beta %}
 
 By default, {% data variables.product.prodname_actions %} workflows on {% data variables.product.product_name %} cannot use actions directly from {% data variables.product.prodname_dotcom_the_website %} or [{% data variables.product.prodname_marketplace %}](https://github.com/marketplace?type=actions).
diff --git a/data/reusables/actions/enterprise-github-connect-warning.md b/data/reusables/actions/enterprise-github-connect-warning.md
@@ -0,0 +1,7 @@
+{% if enterpriseServerVersions contains currentVersion and currentVersion ver_gt "enterprise-server@2.21" %}
+{% note %}
+
+**Note:** With {% data variables.product.prodname_github_connect %} enabled, {% data variables.product.prodname_actions %} will try to find the repository on your {% data variables.product.prodname_ghe_server %} instance first before falling back to {% data variables.product.prodname_dotcom %}. If a user creates an organization and repository in your enterprise that matches an organization and repository name on {% data variables.product.prodname_dotcom %}, the repository on your enterprise will be used in place of the {% data variables.product.prodname_dotcom %} repository. A malicious user could take advantage of this behavior to run code as part of a workflow.
+
+{% endnote %}
+{% endif %}
