Restricting access to machine types

You can set constraints on the types of machines users can choose when they create codespaces in your organization.

To manage access to machine types for the repositories in an organization, you must be an organization owner.

Codespaces is available for organizations using GitHub Team or GitHub Enterprise Cloud. For more information, see "GitHub's products."

Overview

Typically, when you create a codespace you are offered a choice of specifications for the machine that will run your codespace. You can choose the machine type that best suits your needs. For more information, see "Creating a codespace." If you pay for using GitHub Codespaces then your choice of machine type will affect how much your are billed. For more information about pricing, see "About billing for Codespaces."

As an organization owner, you may want to configure constraints on the types of machine that are available. For example, if the work in your organization doesn't require significant compute power or storage space, you can remove the highly resourced machines from the list of options that people can choose from. You do this by defining one or more policies in the Codespaces settings for your organization.

Behavior when you set a machine type constraint

If there are existing codespaces that no longer conform to a policy you have defined, these codespaces will continue to operate until they time out. When the user attempts to resume the codespace they are shown a message telling them that the currenly selected machine type is no longer allowed for this organization and prompting them to choose an alternative machine type.

If you remove higher specification machine types that are required by the Codespaces configuration for an individual repository in your organization, then it won't be possible to create a codespace for that repository. When someone attempts to create a codespace they will see a message telling them that there are no valid machine types available that meet the requirements of the repository's Codespaces configuration.

Note: Anyone who can edit the devcontainer.json configuration file in a repository can set a minimum specification for machines that can be used for codespaces for that repository. For more information, see "Setting a minimum specification for codespace machines."

If setting a policy for machine types prevents people from using Codespaces for a particular repository there are two options:

  • You can adjust your policies to specifically remove the restrictions from the affected repository.
  • Anyone who has a codespace that they can no longer access, because of the new policy, can export their codespace to a branch. This branch will contain all of their changes from the codespace. They can then open a new codespace on this branch with a compliant machine type or work on this branch locally. For more information, see "Exporting changes to a branch."

Setting organization-wide and repository-specific policies

When you create a policy you choose whether it applies to all repositories in your organization, or only to specified repositories. If you set an organization-wide policy then any policies you set for individual repositories must fall within the restriction set at the organization level. Adding policies makes the choice of machine more, not less, restrictive.

For example, you could create an organization-wide policy that restricts the machine types to either 2 or 4 cores. You can then set a policy for Repository A that restricts it to just 2-core machines. Setting a policy for Repository A that restricted it to machines with 2, 4, or 8 cores would result in a choice of 2-core and 4-core machines only, because the organization-wide policy prevents access to 8-core machines.

If you add an organization-wide policy, you should set it to the largest choice of machine types that will be available for any repository in your organization. You can then add repository-specific policies to further restrict the choice.

Adding a policy to limit the available machine types

  1. In the top right corner of GitHub.com, click your profile photo, then click Your organizations. Your organizations in the profile menu

  2. Next to the organization, click Settings. The settings button

  3. In the left sidebar, click Codespaces. "Codespaces" tab in left sidebar

  4. Under "Codespaces", click Policy.

    "Policy" tab in left sidebar

  5. On the "Codespace policies" page, click Create Policy.

  6. Enter a name for your new policy.

  7. Click Add constraint and choose Machine types.

    Add a constraint for machine types

  8. Click to edit the constraint, then clear the selection of any machine types that you don't want to be available.

    Edit the machine type constraint

  9. In the "Change policy target" area, click the dropdown button.

  10. Choose either All repositories or Selected repositories to determine which repositories this policy will apply to.

  11. If you chose Selected repositories:

    1. Click .

      Edit the settings for the policy

    2. Select the repositories you want this policy to apply to.

    3. At the bottom of the repository list, click Select repositories.

      Select repositories for this policy

  12. Click Save.

Editing a policy

  1. Display the "Codespace policies" page. For more information, see "Adding a policy to limit the available machine types."
  2. Click the name of the policy you want to edit.
  3. Make the required changes then click Save.

Deleting a policy

  1. Display the "Codespace policies" page. For more information, see "Adding a policy to limit the available machine types."

  2. Click the delete button to the right of the policy you want to delete.

    The delete button for a policy

Further reading

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.