Enabling automatic access to GitHub.com actions using GitHub Connect

About automatic access to GitHub.com actions

By default, GitHub Actions workflows on GitHub Enterprise Server cannot use actions directly from GitHub.com or GitHub Marketplace. To make all actions from GitHub.com available on your enterprise instance, you can use GitHub Connect to integrate GitHub Enterprise Server with GitHub Enterprise Cloud.

若要使用 GitHub.com 中的操作，你的 GitHub Enterprise Server 实例 和自托管运行器必须能够与 GitHub.com 建立出站连接。 不需要来自 GitHub.com 的入站连接。 有关详细信息， 有关详细信息，请参阅“关于自托管运行程序”。

Alternatively, if you want stricter control over which actions are allowed in your enterprise, you can manually download and sync actions onto your enterprise instance using the actions-sync tool. For more information, see "Manually syncing actions from GitHub.com."

About resolution for actions using GitHub Connect

当工作流通过引用存储操作的存储库来使用操作时，GitHub Actions 将首先尝试在 你的 GitHub Enterprise Server 实例 上查找存储库。 如果 你的 GitHub Enterprise Server 实例 上不存在存储库，并且你启用了对 GitHub.com 的自动访问，GitHub Actions 将尝试在 GitHub.com 上查找存储库。

If a user has already created an organization and repository in your enterprise that matches an organization and repository name on GitHub.com, the repository on your enterprise will be used instead of the GitHub.com repository. For more information, see "Automatic retirement of namespaces for actions accessed on GitHub.com."

Enabling automatic access to public GitHub.com actions

Before enabling access to public actions from GitHub.com for your enterprise, you must:

• Configure 你的 GitHub Enterprise Server 实例 to use GitHub Actions. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."
• Enable GitHub Connect. For more information, see "Managing GitHub Connect."

1. 在 GitHub Enterprise Server 的右上角，单击你的个人资料照片，然后单击“企业设置”****。

   

2. 在企业帐户边栏中，单击 GitHub Connect。

3. Under "Users can utilize actions from GitHub.com in workflow runs", use the drop-down menu and select Enabled.

4. 在启用 GitHub Connect 后，您可以使用策略限制哪些公共操作可用于您企业的仓库中。 有关详细信息，请参阅“Enforcing policies for GitHub Actions in your enterprise”。

Automatic retirement of namespaces for actions accessed on GitHub.com

When you enable GitHub Connect, users see no change in behavior for existing workflows because GitHub Actions searches 你的 GitHub Enterprise Server 实例 for each action before falling back to GitHub.com. This ensures that any custom versions of actions your enterprise has created are used in preference to their counterparts on GitHub.com.

Automatic retirement of namespaces for actions accessed on GitHub.com blocks the potential for a man-in-the-middle attack by a malicious user with access to 你的 GitHub Enterprise Server 实例. When an action on GitHub.com is used for the first time, that namespace is retired in 你的 GitHub Enterprise Server 实例. This blocks any user creating an organization and repository in your enterprise that matches that organization and repository name on GitHub.com. This ensures that when a workflow runs, the intended action is always run.

After using an action from GitHub.com, if you want to create an action in 你的 GitHub Enterprise Server 实例 with the same name, first you need to make the namespace for that organization and repository available.

1. 在 GitHub Enterprise Server 上的管理帐户中，在任一页面的右上角，单击 。

2. 如果你尚未在“站点管理员”页上，请在左上角单击“站点管理员”。

3. In the left sidebar, under Site admin click Retired namespaces.

4. To the right of the namespace that you want use in 你的 GitHub Enterprise Server 实例, click Unretire.

5. Go to the relevant organization and create a new repository.

   Tip: When you unretire a namespace, always create the new repository with that name as soon as possible. If a workflow calls the associated action on GitHub.com before you create the local repository, the namespace will be retired again. For actions used in workflows that run frequently, you may find that a namespace is retired again before you have time to create the local repository. In this case, you can temporarily disable the relevant workflows until you have created the new repository.