Skip to main content

Controlling access to larger runners

You can use policies to limit access to larger runners that have been added to an organization or enterprise.

The larger runners feature is currently in beta for organizations and enterprises using the GitHub Team or GitHub Enterprise Cloud plans, and is subject to change. To request access to the beta, visit the sign up page.

About runner groups

Note: All organizations have a single default runner group. Only enterprise accounts and organizations owned by enterprise accounts can create and manage additional runner groups.

Runner groups are used to control access to runners. Organization admins can configure access policies that control which repositories in an organization have access to the runner group.

If you use GitHub Enterprise Cloud, you can create additional runner groups; enterprise admins can configure access policies that control which organizations in an enterprise have access to the runner group; and organization admins can assign additional granular repository access policies to the enterprise runner group. For more information, see the GitHub Enterprise Cloud documentation.

Default group for larger runners

Organizations and enterprises with access to larger runners will automatically receive a default runner group called "Default Larger Runners" that includes 4 runners of varying sizes. The runners in this group are pre-configured and ready for immediate use. In order to use the runners in this group, you will need to add the label corresponding to the runner of your choice to your workflow file. See the table below for labels. For more information on how to use labels, see "Running jobs on your runner."

Default Runners

DescriptionLabelImage
4-cores Ubuntu Runnerubuntu-latest-4-coresUbuntu - Latest
8-cores Ubuntu Runnerubuntu-latest-8-coresUbuntu - Latest
16-cores Ubuntu Runnerubuntu-latest-16-coresUbuntu - Latest
8-cores Windows Runnerwindows-latest-8-coresWindows Server - Latest

The default larger runner group is created at the billing entity level. If your organization is part of an enterprise account, the group will be managed on the enterprise level. If your organization does not fall under an enterprise, the group is managed on the organization level.

You will not be billed for these runners until you use them in your workflows. Once these runners are used, billing works as it normally does. For more information on billing, see "Using larger runners."

The default access for a larger runner group at the enterprise level is set to automatically share with all organizations in the enterprise, but not all repositories. Organization admins will need to share the default larger runner group with each repository separately. For larger runner groups at the organization level, the default access is set to automatically share the group with all repositories. For more information on how to change access policies, and where to view the default larger runner group, see "Changing the access policy of a runner group."

Changing the access policy of a runner group

Warning: If you are using a Fixed IP range, we recommend that you only use larger runners with private repositories. Forks of your repository can potentially run dangerous code on your larger runner by creating a pull request that executes the code in a workflow.

For runner groups in an enterprise, you can change what organizations in the enterprise can access a runner group. For runner groups in an organization, you can change what repositories in the organization can access a runner group.

Changing what organizations or repositories can access a runner group

  1. Navigate to the main page of the repository or organization where your runner groups are located.

  2. Click Settings.

  3. In the left sidebar, click Actions, then click Runner groups.

  4. In the list of groups, click the runner group you'd like to configure.

  5. For runner groups in an enterprise, under Organization access, modify what organizations can access the runner group. For runner groups in an organization, under Repository access, modify what repositories can access the runner group.

Changing the name of a runner group

  1. Navigate to the main page of the repository or organization where your runner groups are located.

  2. Click Settings.

  3. In the left sidebar, click Actions, then click Runner groups.

  4. In the list of groups, click the runner group you'd like to configure.

  5. Change the runner group name.