Skip to main content

Managing access to self-hosted runners using groups

You can use policies to limit access to self-hosted runners that have been added to an organization or enterprise.

注意:GitHub Enterprise Server 目前不支持 GitHub 托管的运行器。 可以在 GitHub public roadmap 上查看有关未来支持计划的更多信息。

About runner groups

运行器组用于控制对组织和企业级运行器的访问。 企业所有者可以配置访问策略,用于控制企业中哪些组织和工作流可以访问运行器组。 组织所有者可以配置访问策略,用于控制组织中哪些存储库和工作流可以访问运行器组。

当企业所有者授予对运行器组的访问权限时,组织所有者可以看到组织的运行器设置中列出的运行器组。 然后,组织所有者可以为企业运行器组分配更精细的存储库和工作流访问策略。

新运行器在创建时,将自动分配给默认组。 运行器每次只能在一个组中。 您可以将运行器从默认组移到另一组。 有关详细信息,请参阅“将运行器移动到组”。

Creating a self-hosted runner group for an organization

警告:建议仅将自托管运行器用于私有仓库。 这是因为,通过创建在工作流中执行代码的拉取请求,公共存储库的分支可能会在自托管运行器计算机上运行危险代码。

有关详细信息,请参阅关于自承载运行器

All organizations have a single default runner group. Organizations within an enterprise account can create additional groups. Organization admins can allow individual repositories access to a runner group. For information about how to create a runner group with the REST API, see "Self-hosted runner groups."

Runners are automatically assigned to the default group when created, and can only be members of one group at a time. You can move a runner from the default group to any group you create.

When creating a group, you must choose a policy that defines which repositories and workflows have access to the runner group.

  1. On your GitHub Enterprise Server instance, navigate to the main page of the organization.

  2. 在组织名称下,单击“设置”。 组织设置按钮

  3. In the left sidebar, click Actions, then click Runner groups.

  4. In the "Runner groups" section, click New runner group.

  5. Enter a name for your runner group.

  6. 分配存储库访问策略。

    您可以将运行器组配置为可供特定的存储库列表或组织中的所有存储库访问。 默认情况下,只有私有存储库可以访问运行器组中的运行器,但您可以覆盖此操作。 如果配置企业共享的组织的运行组,则不能覆盖此设置。

  7. 分配用于工作流访问的策略。

    可以将运行器组配置为可供特定工作流列表或所有工作流访问。 如果是配置企业共享的组织运行器组,则不能覆盖此设置。 如果指定可以访问运行器组的工作流,则必须使用工作流的完整路径,包括存储库名称和所有者,并且必须将工作流固定到分支、标记或完整 SHA。 例如:octo-org/octo-repo/.github/workflows/build.yml@v2, octo-org/octo-repo/.github/workflows/deploy.yml@d6dc6c96df4f32fa27b039f2084f576ed2c5c2a5, monalisa/octo-test/.github/workflows/test.yml@main

    只有直接在所选工作流程中定义的作业才能访问运行器组。 Organization-owned runner groups cannot access workflows from a different organization in the enterprise; instead, you must create an enterprise-owned runner group.

  8. Click Create group to create the group and apply the policy.

Creating a self-hosted runner group for an enterprise

警告:建议仅将自托管运行器用于私有仓库。 这是因为,通过创建在工作流中执行代码的拉取请求,公共存储库的分支可能会在自托管运行器计算机上运行危险代码。

有关详细信息,请参阅关于自承载运行器

Enterprises can add their runners to groups for access management. Enterprises can create groups of runners that are accessible to specific organizations in the enterprise account or to specific workflows. Organization owners can then assign additional granular repository or workflow access policies to the enterprise runner groups. For information about how to create a runner group with the REST API, see the enterprise endpoints in the GitHub Actions REST API.

Runners are automatically assigned to the default group when created, and can only be members of one group at a time. You can assign the runner to a specific group during the registration process, or you can later move the runner from the default group to a custom group.

When creating a group, you must choose a policy that defines which organizations have access to the runner group.

  1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”

  2. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡

  3. 在“ 策略”下,单击“操作”。

  4. 单击“运行器组”选项卡。

  5. Click New runner group.

  6. Under "Group name", type a name for your runner group.

  7. To choose a policy for organization access, select the Organization access drop-down, and click a policy. You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise. By default, only private repositories can access runners in a runner group, but you can override this.

    Add runner group options

  8. 分配用于工作流访问的策略。

    可以将运行器组配置为可供特定工作流列表或所有工作流访问。 如果是配置企业共享的组织运行器组,则不能覆盖此设置。 如果指定可以访问运行器组的工作流,则必须使用工作流的完整路径,包括存储库名称和所有者,并且必须将工作流固定到分支、标记或完整 SHA。 例如:octo-org/octo-repo/.github/workflows/build.yml@v2, octo-org/octo-repo/.github/workflows/deploy.yml@d6dc6c96df4f32fa27b039f2084f576ed2c5c2a5, monalisa/octo-test/.github/workflows/test.yml@main

    只有直接在所选工作流程中定义的作业才能访问运行器组。

  9. Click Save group to create the group and apply the policy.

Changing the access policy of a self-hosted runner group

警告:建议仅将自托管运行器用于私有仓库。 这是因为,通过创建在工作流中执行代码的拉取请求,公共存储库的分支可能会在自托管运行器计算机上运行危险代码。

有关详细信息,请参阅关于自承载运行器

For runner groups in an enterprise, you can change what organizations in the enterprise can access a runner group or restrict what workflows a runner group can run. For runner groups in an organization, you can change what repositories in the organization can access a runner group or restrict what workflows a runner group can run.

Changing what organizations or repositories can access a runner group

  1. Navigate to where your runner groups are located:

    • In an organization: navigate to the main page and click Settings.

    • If using an enterprise-level group:

      1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. Navigate to the "Runner groups" settings:

    • In an organization:

      1. In the left sidebar, click Actions, then click Runner groups.
    • If using an enterprise-level group:

      1. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡
      2. 在“ 策略”下,单击“操作”。
      3. 单击“运行器组”选项卡。
  3. 在组列表中,单击要配置的运行器组。

  4. For runner groups in an enterprise, under Organization access, modify what organizations can access the runner group. For runner groups in an organization, under Repository access, modify what repositories can access the runner group.

Changing what workflows can access a runner group

You can configure a runner group to run either selected workflows or all workflows. For example, you might use this setting to protect secrets that are stored on runners or to standardize deployment workflows by restricting a runner group to run only a specific reusable workflow. This setting cannot be overridden if you are configuring an organization's runner group that was shared by an enterprise.

  1. Navigate to where your runner groups are located:

    • In an organization: navigate to the main page and click Settings.

    • If using an enterprise-level group:

      1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. Navigate to the "Runner groups" settings:

    • In an organization:

      1. In the left sidebar, click Actions, then click Runner groups.
    • If using an enterprise-level group:

      1. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡
      2. 在“ 策略”下,单击“操作”。
      3. 单击“运行器组”选项卡。
  3. 在组列表中,单击要配置的运行器组。

  4. Under Workflow access, select the dropdown menu and click Selected workflows.

  5. Click .

  6. Enter a comma separated list of the workflows that can access the runner group. Use the full path, including the repository name and owner. Pin the workflow to a branch, tag, or full SHA. For example: octo-org/octo-repo/.github/workflows/build.yml@v2, octo-org/octo-repo/.github/workflows/deploy.yml@d6dc6c96df4f32fa27b039f2084f576ed2c5c2a5, monalisa/octo-test/.github/workflows/test.yml@main.

    Only jobs directly defined within the selected workflows will have access to the runner group.

    Organization-owned runner groups cannot access workflows from a different organization in the enterprise; instead, you must create an enterprise-owned runner group.

  7. Click Save.

Changing the name of a runner group

  1. Navigate to where your runner groups are located:

    • In an organization: navigate to the main page and click Settings.

    • If using an enterprise-level group:

      1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. Navigate to the "Runner groups" settings:

    • In an organization:

      1. In the left sidebar, click Actions, then click Runner groups.
    • If using an enterprise-level group:

      1. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡
      2. 在“ 策略”下,单击“操作”。
      3. 单击“运行器组”选项卡。
  3. 在组列表中,单击要配置的运行器组。

  4. Change the runner group name.

Automatically adding a self-hosted runner to a group

可以使用配置脚本自动向组添加新运行器。 例如,此命令会注册一个新运行器,并使用 --runnergroup 参数将其添加到名为 rg-runnergroup 的组。

./config.sh --url $org_or_enterprise_url --token $token --runnergroup rg-runnergroup

如果运行器组不存在,命令将失败:

Could not find any self-hosted runner group named "rg-runnergroup".

Moving a self-hosted runner to a group

If you don't specify a runner group during the registration process, your new runners are automatically assigned to the default group, and can then be moved to another group.

  1. 导航到自托管运行器注册的位置:

    • 在组织中:导航到主页并单击“ 设置” 。

    • 如果使用的是企业级运行器:

      1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. 导航到 GitHub Actions 设置:

    • 在组织中:

      1. In the left sidebar, click Actions, then click Runners.
    • 如果使用的是企业级运行器:

      1. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡 1. 在“ 策略”下,单击“操作”。 1. 单击“运行器”选项卡。
  3. In the "Runners" list, click the runner that you want to configure.

  4. Select the Runner group drop-down.

  5. In "Move runner to group", choose a destination group for the runner.

Removing a self-hosted runner group

运行器在其组被移除时将自动返回到默认组。

  1. Navigate to where your runner groups are located:

    • In an organization: navigate to the main page and click Settings.

    • If using an enterprise-level group:

      1. 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“企业设置”。 GitHub Enterprise Server 上个人资料照片下拉菜单中的“企业设置”
  2. Navigate to the "Runner groups" settings:

    • In an organization:

      1. In the left sidebar, click Actions, then click Runner groups.
    • If using an enterprise-level group:

      1. 在企业边栏中,单击 “策略”。 企业帐户边栏中的“策略”选项卡
      2. 在“ 策略”下,单击“操作”。
      3. 单击“运行器组”选项卡。
  3. 在组列表中,在要删除的组右侧,单击

  4. 若要删除组,请单击“删除组”。

  5. 查看确认提示,然后单击“删除此运行器组”。 此组中的任何运行器都会自动移动到默认组,在该组中它们会继承分配给该组的访问权限。