Skip to main content
All products
GitHub Actions

Managing access to self-hosted runners using groups

In this article

You can use policies to limit access to self-hosted runners that have been added to an organization or enterprise.

For information on how to route jobs to runners in a specific group, see "Choosing the runner for a job."

About runner groups

Note: All organizations have a single default runner group. Only enterprise accounts and organizations owned by enterprise accounts can create and manage additional runner groups.

Runner groups are used to control access to runners. Organization admins can configure access policies that control which repositories in an organization have access to the runner group.

If you use GitHub Enterprise Cloud, you can create additional runner groups; enterprise admins can configure access policies that control which organizations in an enterprise have access to the runner group; and organization admins can assign additional granular repository access policies to the enterprise runner group. For more information, see the GitHub Enterprise Cloud documentation.

Changing the access policy of a self-hosted runner group

Warning: We recommend that you only use self-hosted runners with private repositories. This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

For more information, see "About self-hosted runners."

For runner groups in an enterprise, you can change what organizations in the enterprise can access a runner group. For runner groups in an organization, you can change what repositories in the organization can access a runner group.

Changing what organizations or repositories can access a runner group

  1. Navigate to the main page of the repository or organization where your runner groups are located.

  2. Click Settings.

  3. In the left sidebar, click Actions, then click Runner groups.

  4. In the list of groups, click the runner group you'd like to configure.

  5. For runner groups in an enterprise, under Organization access, modify what organizations can access the runner group. For runner groups in an organization, under Repository access, modify what repositories can access the runner group.

  6. In the "Runners" section of the settings page, next to the runner group you'd like to configure, click , then click Edit name and [organization|repository] access. Manage repository permissions

  7. Modify your policy options.

    Warning

    We recommend that you only use self-hosted runners with private repositories. This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.

    For more information, see "About self-hosted runners."

Changing the name of a runner group

  1. Navigate to the main page of the repository or organization where your runner groups are located.

  2. Click Settings.

  3. In the left sidebar, click Actions, then click Runner groups.

  4. In the list of groups, click the runner group you'd like to configure.

  5. Change the runner group name.

  6. In the "Runners" section of the settings page, next to the runner group you'd like to configure, click , then click Edit name and [organization|repository] access. Manage repository permissions

  7. Change the runner group name.