Skip to main content

Managing GitHub Actions settings for a repository

You can disable or configure GitHub Actions for a specific repository.

注意:GitHub Enterprise Server 目前不支持 GitHub 托管的运行器。 可以在 GitHub public roadmap 上查看有关未来支持计划的更多信息。

About GitHub Actions permissions for your repository

By default, after GitHub Actions is enabled on your GitHub Enterprise Server instance, it is enabled on all repositories and organizations. You can choose to disable GitHub Actions or limit it to actions in your enterprise. For more information about GitHub Actions, see "About GitHub Actions."

You can enable GitHub Actions for your repository. 启用 GitHub Actions 时,工作流能够运行位于存储库中的操作,以及任何其他公共或内部存储库。 You can disable GitHub Actions for your repository altogether. 禁用 GitHub Actions 时,仓库中不会运行任何工作流程。

Alternatively, you can enable GitHub Actions in your repository but limit the actions a workflow can run.

Managing GitHub Actions permissions for your repository

You can disable GitHub Actions for a repository, or set a policy that configures which actions can be used in the repository.

Note: You might not be able to manage these settings if your organization has an overriding policy or is managed by an enterprise that has overriding policy. For more information, see "Disabling or limiting GitHub Actions for your organization" or "Enforcing policies for GitHub Actions in your enterprise."

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the left sidebar, click Actions, then click General.

  4. Under "Actions permissions", select an option.

    如果选择 允许选择操作,则允许企业内的操作,并且还有允许其他特定操作的其他选项。 有关详细信息,请参阅“允许选择操作来运行”。

    本地到企业的操作

    Set actions policy for this repository

  5. Click Save.

允许选择操作以运行

如果选择 允许选择操作,则允许本地操作,并且还允许其他特定操作的其他选项:

  • 允许 GitHub 创建的操作: 可以允许工作流使用 GitHub 创建的所有操作。 GitHub 创建的操作位于 actionsgithub 组织中。 有关详细信息,请参阅 actionsgithub 组织。

  • 允许经过验证的创建者执行的 Marketplace 操作:如果已启用 GitHub Connect 并配置了 GitHub Actions,则此选项可用。 有关详细信息,请参阅“使用 GitHub Connect 启用对 GitHub.com 操作的自动访问。”可以允许工作流使用由经过验证的创建者创建的所有 GitHub Marketplace 操作。 如果 GitHub 验证该操作的创建者为合作伙伴组织, 徽章将显示在 GitHub Marketplace 中的操作旁边。

  • 允许指定的操作:可以限制工作流使用特定组织和存储库中的操作。

    若要限制对操作的特定标记或提交 SHA 的访问,请使用工作流中使用的相同语法来选择操作。

    • 对于操作,语法为 <OWNER>/<REPO>@<TAG OR SHA>。 例如,使用 actions/javascript-action@v1.0.1 选择标记或使用 actions/javascript-action@172239021f7ba04fe7327647b213799853a9eb89 选择 SHA。 有关详细信息,请参阅“查找和自定义操作”。

    可以使用 * 通配符来匹配模式。 例如,若要允许以 space-org 开头的组织中的所有操作,可以指定 space-org*/*。 若要允许以 octocat 开头的存储库中的所有操作,可以使用 */octocat**@*。 有关使用 * 通配符的详细信息,请参阅“GitHub 操作的工作流语法”。

此过程演示如何将特定操作添加到允许列表。

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the left sidebar, click Actions, then click General.

  4. Under "Actions permissions", select 允许选择操作 and add your required actions to the list.

    Add actions to the allow list

  5. Click Save.

Enabling workflows for forks of private repositories

如果依赖于使用专用存储库的分支,你可以配置策略来控制用户如何在 pull_request 事件上运行工作流。 仅适用于专用和内部存储库,你可以为你的企业、组织或存储库配置这些策略设置。

If a policy is disabled for an enterprise or organization, it cannot be enabled for a repository.

  • 从分支拉取请求运行工作流 - 允许用户使用具有只读权限、没有密码访问权限的 GITHUB_TOKEN,从分支拉取请求运行工作流。
  • 从拉取请求向工作流发送写入令牌 - 允许来自分支的拉取请求使用具有写入权限的 GITHUB_TOKEN
  • 从拉取请求向工作流发送机密 - 使所有机密都可用于拉取请求。

Configuring the fork policy for a private repository

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the left sidebar, click Actions, then click General.

  4. 在“复刻拉取请求工作流”下,选择选项。 例如:

    启用、禁用或限制此存储库的操作

  5. 单击“保存”以应用设置。

Setting the permissions of the GITHUB_TOKEN for your repository

可以设置授予 GITHUB_TOKEN 的默认权限。 有关 GITHUB_TOKEN 的详细信息,请参阅“自动令牌身份验证”。 你可以选择一组有限的权限作为默认项或应用权限设置。

The default permissions can also be configured in the organization settings. If your repository belongs to an organization and a more restrictive default has been selected in the organization settings, the same option is selected in your repository settings and the permissive option is disabled.

任何拥有存储库写入权限的人都可以通过编辑工作流文件中的 permissions 键来修改授予 GITHUB_TOKEN 的权限,或者根据需要添加或删除权限。 有关详细信息,请参阅 permissions

Configuring the default GITHUB_TOKEN permissions

By default, when you create a new repository in your personal account, GITHUB_TOKEN only has read access for the contents scope. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the left sidebar, click Actions, then click General.

  4. Under "Workflow permissions", choose whether you want the GITHUB_TOKEN to have read and write access for all scopes, or just read access for the contents scope.

    Set GITHUB_TOKEN permissions for this repository

  1. Click Save to apply the settings.

Preventing GitHub Actions from creating or approving pull requests

可选择允许或阻止GitHub Actions工作流创建或审批拉取请求。

By default, when you create a new repository in your personal account, workflows are not allowed to create or approve pull requests. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.

  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮

  3. In the left sidebar, click Actions, then click General.

  4. Under "Workflow permissions", use the Allow GitHub Actions to create and approve pull requests setting to configure whether GITHUB_TOKEN can create and approve pull requests.

    Set GITHUB_TOKEN permissions for this repository

  5. Click Save to apply the settings.

Allowing access to components in an internal repository

Members of your enterprise can use internal repositories to work on projects without sharing information publicly. For information, see "About repositories."

You can use the steps below to configure whether actions and workflows in an internal repository can be accessed from outside the repository. For more information, see "Sharing actions and workflows with your enterprise." Alternatively, you can use the REST API to set, or get details of, the level of access. For more information, see "Get the level of access for workflows outside of the repository" and "Set the level of access for workflows outside of the repository."

  1. On GitHub, navigate to the main page of the internal repository.

  2. Under your repository name, click Settings.

  3. In the left sidebar, click Actions, then click General.

  4. Under Access, choose one of the access settings:

    Set the access to Actions components

    • Not accessible - Workflows in other repositories cannot access this repository.
    • Accessible from repositories in the 'ORGANIZATION NAME' organization - Workflows in other repositories that are part of the 'ORGANIZATION NAME' organization can access the actions and workflows in this repository. Access is allowed only from private or internal repositories.
    • Accessible from repositories in the 'ENTERPRISE NAME' enterprise - Workflows in other repositories that are part of the 'ENTERPRISE NAME' enterprise can access the actions and workflows in this repository. Access is allowed only from private or internal repositories.
  5. Click Save to apply the settings.

Configuring the retention period for GitHub Actions artifacts and logs in your repository

You can configure the retention period for GitHub Actions artifacts and logs in your repository.

默认情况下,工作流程生成的构件和日志文件将保留 90 天,然后自动删除。 可以将此保持期更改为 1 天或 400 天之间的任何时长。

自定义保留期时,它仅适用于新构件和日志文件,并且不追溯性地应用于现有对象。 对于托管的仓库和组织,最长保留期不能超过管理组织或企业设置的限制。

You can also define a custom retention period for a specific artifact created by a workflow. For more information, see "Setting the retention period for an artifact."

Setting the retention period for a repository

  1. On your GitHub Enterprise Server instance, navigate to the main page of the repository.
  2. 在存储库名称下,单击 “设置”。 “存储库设置”按钮
  3. In the left sidebar, click Actions, then click General.
  4. 在“工件和日志保留”下,输入新值。
  5. 单击“保存”应用更改。

Configuring cache storage for a repository

By default, the total cache storage that GitHub Actions uses on the external storage for your GitHub Enterprise Server instance is limited to a maximum of 10 GB per repository, and the maximum allowed size that can be set for a repository is 25 GB. However, these default sizes might be different if an enterprise owner has changed them. 如果超过此限制,GitHub 将保存新缓存,但会开始收回缓存,直到总大小小于存储库限制。

You can set a total cache storage size for your repository up to the maximum size allowed by the enterprise policy setting.

The repository settings for GitHub Actions cache storage can currently only be modified using the REST API:

注意:与其他 GitHub Actions 策略设置不同,没有用于设置 GitHub Actions 缓存大小的组织级策略。 企业策略直接应用于存储库。