Enforcing GitHub Actions policies for your enterprise

Enterprise administrators can manage access to GitHub Actions in an enterprise.

About GitHub Actions permissions for your enterprise

When you enable GitHub Actions on GitHub Enterprise Server, it is enabled for all organizations in your enterprise. You can choose to disable GitHub Actions for all organizations in your enterprise, or only allow specific organizations. You can also limit the use of public actions, so that people can only use local actions that exist in your enterprise.

Managing GitHub Actions permissions for your enterprise

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub Enterprise Server

  2. In the enterprise sidebar, click Policies. Policies tab in the enterprise account sidebar

  3. Under " Policies", click Actions.

  4. Under "Policies", select your options.

    You can choose which organizations in your enterprise can use GitHub Actions, and you can restrict access to public actions.

    Note: To enable access to public actions, you must first configure your GitHub Enterprise Server instance to connect to GitHub Marketplace. For more information, see "Enabling automatic access to GitHub.com actions using GitHub Connect."

    Enable, disable, or limits actions for this enterprise account

Allowing specific actions to run

When you choose Allow select actions, local actions are allowed, and there are additional options for allowing other specific actions:

  • Allow actions created by GitHub: You can allow all actions created by GitHub to be used by workflows. Actions created by GitHub are located in the actions and github organization. For more information, see the actions and github organizations.

  • Allow specified actions: You can restrict workflows to use actions in specific organizations and repositories.

    To restrict access to specific tags or commit SHAs of an action, use the same <OWNER>/<REPO>@<TAG OR SHA> syntax used in the workflow to select the action. For example, actions/javascript-action@v1.0.1 to select a tag or actions/javascript-action@172239021f7ba04fe7327647b213799853a9eb89 to select a SHA. For more information, see "Finding and customizing actions."

    You can use the * wildcard character to match patterns. For example, to allow all actions in organizations that start with space-org, you can specify space-org*/*. To add all actions in repositories that start with octocat, you can use */octocat*@*. For more information about using the * wildcard, see "Workflow syntax for GitHub Actions."

This procedure demonstrates how to add specific actions to the allow list.

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub Enterprise Server

  2. In the enterprise sidebar, click Policies. Policies tab in the enterprise account sidebar

  3. Under " Policies", click Actions.

  4. Under Policies, select Allow select actions and add your required actions to the list. Add actions to allow list

Enabling workflows for private repository forks

If you rely on using forks of your private repositories, you can configure policies that control how users can run workflows on pull_request events. Available to private and internal repositories only, you can configure these policy settings for enterprises, organizations, or repositories. For enterprises, the policies are applied to all repositories in all organizations.

  • Run workflows from fork pull requests - Allows users to run workflows from fork pull requests, using a GITHUB_TOKEN with read-only permission, and with no access to secrets.
  • Send write tokens to workflows from pull requests - Allows pull requests from forks to use a GITHUB_TOKEN with write permission.
  • Send secrets to workflows from pull requests - Makes all secrets available to the pull request.

Configuring the private fork policy for your enterprise

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings. "Enterprise settings" in drop-down menu for profile photo on GitHub Enterprise Server

  2. In the enterprise sidebar, click Policies. Policies tab in the enterprise account sidebar

  3. Under " Policies", click Actions.

  4. Under Fork pull request workflows, select your options. For example: Enable, disable, or limits actions for this repository

  5. Click Save to apply the settings.

Did this doc help you?Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.