English
 

Explore by product

GitHub Actions
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
  • npm
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    •  

    Article version

    In this article

    Managing access to self-hosted runners using groups

    You can use policies to limit access to self-hosted runners that have been added to an organization or enterprise.

    About self-hosted runner groups

    Note: All organizations have a single default self-hosted runner group. Only enterprise accounts and organizations owned by enterprise accounts can create and manage additional self-hosted runner groups.

    Self-hosted runner groups are used to control access to self-hosted runners at the organization and enterprise level. Enterprise admins can configure access policies that control which organizations in an enterprise have access to the runner group. Organization admins can configure access policies that control which repositories in an organization have access to the runner group.

    When an enterprise admin grants an organization access to a runner group, organization admins can see the runner group listed in the organization's self-hosted runner settings. The organizations admins can then assign additional granular repository access policies to the enterprise runner group.

    When new runners are created, they are automatically assigned to the default group. Runners can only be in one group at a time. You can move runners from the default group to another group. For more information, see "Moving a self-hosted runner to a group."

    Creating a self-hosted runner group for an organization

    All organizations have a single default self-hosted runner group. Organizations within an enterprise account can create additional self-hosted groups. Organization admins can allow individual repositories access to a runner group. For information about how to create a self-hosted runner group with the REST API, see "Self-hosted runner groups."

    Self-hosted runners are automatically assigned to the default group when created, and can only be members of one group at a time. You can move a runner from the default group to any group you create.

    When creating a group, you must choose a policy that defines which repositories have access to the runner group.

    1. On GitHub.com, navigate to the main page of the organization.

    2. Under your organization name, click Settings.

      Organization settings button

    3. In the left sidebar, click Actions.

    4. In the left sidebar, under "Actions", click Runner groups.

    5. In the "Runner groups" section, click New runner group.

    6. Enter a name for your runner group, and assign a policy for repository access.

      You can configure a runner group to be accessible to a specific list of repositories, or to all repositories in the organization. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.

      Warning: We recommend that you only use self-hosted runners with private repositories. This is because forks of your repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

      For more information, see "About self-hosted runners."

    7. Click Create group to create the group and apply the policy.

    Creating a self-hosted runner group for an enterprise

    Enterprises can add their self-hosted runners to groups for access management. Enterprises can create groups of self-hosted runners that are accessible to specific organizations in the enterprise account. Organization admins can then assign additional granular repository access policies to the enterprise runner groups. For information about how to create a self-hosted runner group with the REST API, see the Enterprise Administration GitHub Actions APIs.

    Self-hosted runners are automatically assigned to the default group when created, and can only be members of one group at a time. You can assign the runner to a specific group during the registration process, or you can later move the runner from the default group to a custom group.

    When creating a group, you must choose a policy that defines which organizations have access to the runner group.

    1. In the enterprise sidebar, click Policies. Policies tab in the enterprise account sidebar

    2. Under " Policies", click Actions.

    3. Click the Runner groups tab.

    4. Click New runner group.

    5. Enter a name for your runner group, and assign a policy for organization access.

      You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.

      Warning

      We recommend that you only use self-hosted runners with private repositories. This is because forks of your repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

      For more information, see "About self-hosted runners."

    6. Click Create group to create the group and apply the policy.

    Changing the access policy of a self-hosted runner group

    You can update the access policy of a runner group, or rename a runner group.

    1. Navigate to where your self-hosted runner groups are located:

      • In an organization: navigate to the main page and click Settings.
      • If using an enterprise account: navigate to your enterprise account by visiting https://github.com/enterprises/ENTERPRISE-NAME, replacing ENTERPRISE-NAME with your enterprise account's name. In the enterprise sidebar, Policies.

    2. Navigate to the "Runner groups" settings:

      • In an organization: Click Actions in the left sidebar, then click Runner groups below it.
      • If using an enterprise account: Click Actions under " Policies", then click the Runners groups tab.

    3. In the list of groups, click the runner group you'd like to configure.

    4. Modify the access options, or change the runner group name.

      Warning

      We recommend that you only use self-hosted runners with private repositories. This is because forks of your repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

      For more information, see "About self-hosted runners."

    Automatically adding a self-hosted runner to a group

    You can use the configuration script to automatically add a new self-hosted runner to a group. For example, this command registers a new self-hosted runner and uses the --runnergroup parameter to add it to a group named rg-runnergroup.

    ./config.sh --url $org_or_enterprise_url --token $token --runnergroup rg-runnergroup

    The command will fail if the runner group doesn't exist:

    Could not find any self-hosted runner group named "rg-runnergroup".

    Moving a self-hosted runner to a group

    If you don't specify a runner group during the registration process, your new self-hosted runners are automatically assigned to the default group, and can then be moved to another group.

    1. Navigate to where your self-hosted runner is registered:
      • In an organization: navigate to the main page and click Settings.
      • If using an enterprise account: navigate to your enterprise account by visiting https://github.com/enterprises/ENTERPRISE-NAME, replacing ENTERPRISE-NAME with your enterprise account's name. In the enterprise sidebar, Policies.
    2. Navigate to the GitHub Actions settings:
      • In an organization: Click Actions in the left sidebar, then click Runners.
      • If using an enterprise account: Click Actions under " Policies", then click the Runners tab.
    3. In the "Runners" list, click the runner that you want to configure.
    4. Select the Runner group dropdown menu.
    5. In "Move runner to group", choose a destination group for the runner.

    Removing a self-hosted runner group

    Self-hosted runners are automatically returned to the default group when their group is removed.

    1. Navigate to where your self-hosted runner groups are located:
      • In an organization: navigate to the main page and click Settings.
      • If using an enterprise account: navigate to your enterprise account by visiting https://github.com/enterprises/ENTERPRISE-NAME, replacing ENTERPRISE-NAME with your enterprise account's name. In the enterprise sidebar, Policies.
    2. Navigate to the "Runner groups" settings:
      • In an organization: Click Actions in the left sidebar, then click Runner groups below it.
      • If using an enterprise account: Click Actions under " Policies", then click the Runners groups tab.
    3. In the list of groups, to the right of the group you want to delete, click .
    4. To remove the group, click Remove group.
    5. Review the confirmation prompts, and click Remove this runner group.

    Did this doc help you?

    Privacy policy

    Help us make these docs great!

    All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

    Make a contribution

    Or, learn how to contribute.