Skip to main content

此版本的 GitHub Enterprise Server 将于以下日期停止服务 2024-03-07. 即使针对重大安全问题,也不会发布补丁。 为了获得更好的性能、更高的安全性和新功能,请升级到最新版本的 GitHub Enterprise。 如需升级帮助,请联系 GitHub Enterprise 支持

使用 GitHub Connect 启用对 GitHub.com 操作的自动访问

要允许企业中的 GitHub Actions 使用来自 GitHub.com 的操作,您可以将企业实例连接到 GitHub Enterprise Cloud。

谁可以使用此功能?

Enterprise owners can enable access to public GitHub.com actions.

Note: GitHub-hosted runners are not currently supported on GitHub Enterprise Server. You can see more information about planned future support on the GitHub public roadmap.

About automatic access to GitHub.com actions

By default, GitHub Actions workflows on GitHub Enterprise Server cannot use actions directly from GitHub.com or GitHub Marketplace. To make all actions from GitHub.com available on your enterprise instance, you can use GitHub Connect to integrate GitHub Enterprise Server with GitHub Enterprise Cloud.

To use actions from GitHub.com, both your GitHub Enterprise Server instance and your self-hosted runners must be able to make outbound connections to GitHub.com. No inbound connections from GitHub.com are required. For more information. For more information, see "About self-hosted runners."

Alternatively, if you want stricter control over which actions are allowed in your enterprise, you can manually download and sync actions onto your enterprise instance using the actions-sync tool. For more information, see "Manually syncing actions from GitHub.com."

About resolution for actions using GitHub Connect

When a workflow uses an action by referencing the repository where the action is stored, GitHub Actions will first try to find the repository on your GitHub Enterprise Server instance. If the repository does not exist on your GitHub Enterprise Server instance, and if you have automatic access to GitHub.com enabled, GitHub Actions will try to find the repository on GitHub.com.

If a user has already created an organization and repository in your enterprise that matches an organization and repository name on GitHub.com, the repository on your enterprise will be used instead of the GitHub.com repository. For more information, see "Automatic retirement of namespaces for actions accessed on GitHub.com."

Enabling automatic access to public GitHub.com actions

Before enabling access to public actions from GitHub.com for your enterprise, you must:

  1. In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.

    Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.

  2. In the enterprise account sidebar, click GitHub Connect.

  3. Under "Users can utilize actions from GitHub.com in workflow runs", use the drop-down menu and select Enabled.

  4. After you enable GitHub Connect, you can use policies to restrict which public actions can be used in repositories in your enterprise. For more information, see "Enforcing policies for GitHub Actions in your enterprise."

Automatic retirement of namespaces for actions accessed on GitHub.com

When you enable GitHub Connect, users see no change in behavior for existing workflows because GitHub Actions searches your GitHub Enterprise Server instance for each action before falling back to GitHub.com. This ensures that any custom versions of actions your enterprise has created are used in preference to their counterparts on GitHub.com.

Automatic retirement of namespaces for actions accessed on GitHub.com blocks the potential for a man-in-the-middle attack by a malicious user with access to your GitHub Enterprise Server instance. When an action on GitHub.com is used for the first time, that namespace is retired in your GitHub Enterprise Server instance. This blocks any user creating an organization and repository in your enterprise that matches that organization and repository name on GitHub.com. This ensures that when a workflow runs, the intended action is always run.

After using an action from GitHub.com, if you want to create an action in your GitHub Enterprise Server instance with the same name, first you need to make the namespace for that organization and repository available.

  1. From an administrative account on GitHub Enterprise Server, in the upper-right corner of any page, click .

  2. If you're not already on the "Site admin" page, in the upper-left corner, click Site admin.

  3. In the left sidebar, under Site admin click Retired namespaces.

  4. To the right of the namespace that you want use in your GitHub Enterprise Server instance, click Unretire.

  5. Go to the relevant organization and create a new repository.

    Tip: When you unretire a namespace, always create the new repository with that name as soon as possible. If a workflow calls the associated action on GitHub.com before you create the local repository, the namespace will be retired again. For actions used in workflows that run frequently, you may find that a namespace is retired again before you have time to create the local repository. In this case, you can temporarily disable the relevant workflows until you have created the new repository.