About GitHub Actions access to internal repositories
If your organization is owned by an enterprise account, you can share actions and reusable workflows within your enterprise, without publishing them publicly, by allowing GitHub Actions workflows to access an internal repository that contains the action or reusable workflow.
Any actions or reusable workflows stored in the internal repository can be used in workflows defined in other internal or private repositories owned by the same organization, or by any organization owned by the enterprise. Actions and reusable workflows stored in internal repositories cannot be used in public repositories .
Warning:
- If you make an internal repository accessible to GitHub Actions workflows in other repositories, outside collaborators on the other repositories can indirectly access the internal repository, even though they do not have direct access to these repositories. The outside collaborators can view logs for workflow runs when actions or workflows from the internal repository are used.
- To allow runners to download these actions, GitHub passes a scoped installation token to the runner. This token has read access to the repository, and automatically expires after one hour.
Sharing actions and workflows with your enterprise
- Store the action or reusable workflow in an internal repository. For more information, see "About repositories."
- Configure the repository to allow access to workflows in other internal repositories. For more information, see "Managing GitHub Actions settings for a repository."