About GitHub Actions access to private repositories
You can share actions and reusable workflows within your organization, without publishing them publicly, by allowing GitHub Actions workflows to access a private repository that contains the action or reusable workflow.
Any actions or reusable workflows stored in the private repository can be used in workflows defined in other private repositories owned by the same organization. Actions and reusable workflows stored in internal repositories cannot be used in public repositories and actions and reusable workflows stored in private repositories cannot be used in public or internal repositories.
Warning:
- If you make an internal or private repository accessible to GitHub Actions workflows in other repositories, outside collaborators on the other repositories can indirectly access the internal or private repository, even though they do not have direct access to these repositories. The outside collaborators can view logs for workflow runs when actions or workflows from the internal or private repository are used.
- To allow runners to download these actions, GitHub passes a scoped installation token to the runner. This token has read access to the repository, and automatically expires after one hour.
Sharing actions and workflows with your organization
- Store the action or reusable workflow in a private repository. For more information, see "About repositories."
- Configure the repository to allow access to workflows in other private repositories. For more information, see "Managing GitHub Actions settings for a repository."