Managing access to self-hosted runners using groups

You can use policies to limit access to self-hosted runners that have been added to an organization or enterprise.

About self-hosted runner groups

Note: All organizations have a single default self-hosted runner group. Only enterprise accounts and organizations owned by enterprise accounts can create and manage additional self-hosted runner groups.

Self-hosted runner groups are used to control access to self-hosted runners. Organization admins can configure access policies that control which repositories in an organization have access to the runner group.

If you use GitHub Enterprise Cloud, you can create additional runner groups; enterprise admins can configure access policies that control which organizations in an enterprise have access to the runner group; and organization admins can assign additional granular repository access policies to the enterprise runner group. For more information, see the GitHub Enterprise Cloud documentation.

Changing the access policy of a self-hosted runner group

You can update the access policy of a runner group, or rename a runner group.

  1. Navigate to the main page of the repository or organization where your self-hosted runner groups are located.

  2. Click Settings.

  3. In the left sidebar, click Actions.

  4. Click Runner groups.

  5. In the list of groups, click the runner group you'd like to configure.

  6. Modify the access options, or change the runner group name.

    Warning

    We recommend that you only use self-hosted runners with private repositories. This is because forks of your repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

    For more information, see "About self-hosted runners."

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.