Documentation for "CI/CD Admin Permissions - [GA]" (#49448)

Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>

content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md

@@ -43,7 +43,11 @@ You can register ephemeral runners that perform a single job before the registra
 
 ## Adding a self-hosted runner to a repository
 
-You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, you must be an organization owner or have admin access to the repository. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, {% ifversion custom-org-roles %}you must be an organization owner, have admin access to the repository, or have the “Manage organization runners and runner groups” permission.{% else %}you must be an organization owner or have admin access to the repository.{% endif %}
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
+For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
 
 {% ifversion actions-disable-repo-runners %}
 
@@ -66,7 +70,9 @@ For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managin
 
 ## Adding a self-hosted runner to an organization
 
-You can add self-hosted runners at the organization level, where they can be used to process jobs for multiple repositories in an organization. To add a self-hosted runner to an organization, you must be an organization owner. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+You can add self-hosted runners at the organization level, where they can be used to process jobs for multiple repositories in an organization. To add a self-hosted runner to an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.org_settings %}

content/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups.md

@@ -2,7 +2,7 @@
 title: Managing access to self-hosted runners using groups
 shortTitle: Manage access with runner groups
 intro: You can use policies to limit access to self-hosted runners that have been added to an organization{% ifversion ghec or ghes %} or enterprise{% endif %}.
-permissions: 'Enterprise accounts, organizations owned by enterprise accounts, and organizations using {% data variables.product.prodname_team %} can create and manage additional runner groups.'
+permissions: 'Enterprise accounts, organizations owned by enterprise accounts, and organizations using {% data variables.product.prodname_team %} can create and manage additional runner groups.<br><br>{% ifversion custom-org-roles %}Users with the "Manage organization runners and runner groups" permission can manage runner groups at the organization level.{% endif %}'
 redirect_from:
   - /actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners
   - /actions/hosting-your-own-runners/managing-access-to-self-hosted-runners

content/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners.md

@@ -29,7 +29,11 @@ shortTitle: Remove self-hosted runners
 
 {% endnote %}
 
-To remove a self-hosted runner from a user repository you must be the repository owner. For an organization repository, you must be an organization owner or have admin access to the repository. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+To remove a self-hosted runner from a user repository you must be the repository owner. Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can remove a runner from a repository in the organization. {% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
+We recommend that you also have access to the self-hosted runner machine.
+
+For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
 
 {% data reusables.actions.self-hosted-runner-reusing %}
 {% data reusables.repositories.navigate-to-repo %}
@@ -52,7 +56,9 @@ To remove a self-hosted runner from a user repository you must be the repository
 
 {% endnote %}
 
-To remove a self-hosted runner from an organization, you must be an organization owner. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+To remove a self-hosted runner from an organization, you must be an organization owner{% ifversion custom-org-roles %} or have the "Manage organization runners and runner groups" permission{% endif %}. We recommend that you also have access to the self-hosted runner machine. For information about how to remove a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)."
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 
 {% data reusables.actions.self-hosted-runner-reusing %}
 {% data reusables.organizations.navigate-to-org %}

content/actions/learn-github-actions/variables.md

@@ -154,6 +154,9 @@ The following rules apply to configuration variable names:
 {% data reusables.actions.actions-variables-tab %}
 
    ![Screenshot of the "Actions secrets and variables" page. A tab, labeled "Variables," is outlined in dark orange.](/assets/images/help/actions/organization-variables-tab.png)
+
+   {% data reusables.actions.secrets-and-variables-org-permissions %}
+
 1. Click **New organization variable**.
 {% data reusables.actions.variable-fields %}
 1. From the **Repository access** dropdown list, choose an access policy.

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -166,6 +166,18 @@ For more information, see "[AUTOTITLE](/code-security/code-scanning/introduction
 
 To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token)."
 
+{% ifversion custom-org-roles %}
+
+## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization
+
+You can practice the principal of least privilege for your organization's CI/CD pipeline with {% data variables.product.prodname_actions %} by administering custom organization roles. A custom organization role is a way to grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories.
+
+{% data reusables.actions.org-roles-for-gh-actions %}
+
+For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+
+{% endif %}
+
 ## Using OpenID Connect to access cloud resources
 
 {% data reusables.actions.about-oidc-short-overview %}

content/actions/security-guides/using-secrets-in-github-actions.md

@@ -158,7 +158,11 @@ gh secret list --env ENV_NAME
 {%- ifversion actions-configuration-variables %}
 {% data reusables.actions.actions-secrets-tab %}
 
-   ![Screenshot of the "Actions secrets and variables" page. A tab, labeled "Secrets," is outlined in dark orange.](/assets/images/help/actions/organization-secrets-tab.png){% endif %}
+   ![Screenshot of the "Actions secrets and variables" page. A tab, labeled "Secrets," is outlined in dark orange.](/assets/images/help/actions/organization-secrets-tab.png)
+
+   {% data reusables.actions.secrets-and-variables-org-permissions %}
+
+   {% endif %}
 1. Click **New organization secret**.
 1. Type a name for your secret in the **Name** input box.
 1. Enter the **Value** for your secret.

content/actions/using-github-hosted-runners/about-larger-runners/managing-larger-runners.md

@@ -2,7 +2,7 @@
 title: Managing larger runners
 shortTitle: Manage larger runners
 intro: 'You can configure {% data variables.actions.hosted_runner %}s for your organization or enterprise.'
-permissions: '{% data reusables.actions.larger-runner-permissions %}'
+permissions: '{% data reusables.actions.larger-runner-permissions %}<br><br> Enterprise or organization owners can manage larger runners.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" permission can manage larger runners at the organization level.{% endif %}'
 versions:
   feature: actions-hosted-runners
 redirect_from:
@@ -30,7 +30,7 @@ Enterprise owners can add {% data variables.actions.hosted_runner %}s to an ente
 
 ## Adding a {% data variables.actions.hosted_runner %} to an organization
 
-You can add a {% data variables.actions.hosted_runner %} to an organization, where organization owners can control which repositories can use it. When you create a new runner for an organization, by default, all repositories in the organization have access to the runner. To limit which repositories can use the runner, assign it to a runner group with access to specific repositories. For more information, see "[Allowing repositories to access a runner group](#allowing-repositories-to-access-a-runner-group)."
+Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can add a {% data variables.actions.hosted_runner %} to an organization control which repositories can use it. When you create a new runner for an organization, by default, all repositories in the organization have access to the runner. To limit which repositories can use the runner, assign it to a runner group with access to specific repositories. For more information, see "[Allowing repositories to access a runner group](#allowing-repositories-to-access-a-runner-group)."
 
 {% data reusables.actions.add-hosted-runner-overview %}
 
@@ -42,7 +42,9 @@ You can add a {% data variables.actions.hosted_runner %} to an organization, whe
 
 ## Allowing repositories to access {% data variables.actions.hosted_runner %}s
 
-Repositories are granted access to {% data variables.actions.hosted_runner %}s through runner groups. Enterprise administrators can choose which organizations are granted access to enterprise-level runner groups, and organization owners control repository-level access to all {% data variables.actions.hosted_runner %}s. Organization owners can use and configure enterprise-level runner groups for the repositories in their organization, or they can create organization-level runner groups to control access.
+Repositories are granted access to {% data variables.actions.hosted_runner %}s through runner groups. Enterprise administrators can choose which organizations are granted access to enterprise-level runner groups, and organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} control repository-level access to all {% data variables.actions.hosted_runner %}s.
+
+Organization owners can use and configure enterprise-level runner groups for the repositories in their organization, or they can create organization-level runner groups to control access.{% ifversion custom-org-roles %} Users with the "Manage organization runners and runner groups" can only manage organization-level runner groups. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 
 - **For enterprise-level runner groups**: {% data reusables.actions.about-enterprise-level-runner-groups %}
 - **For organization-level runner groups**: {% data reusables.actions.about-organization-level-runner-groups %}

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud.md

@@ -2,7 +2,7 @@
 title: Getting started with GitHub Actions for GitHub Enterprise Cloud
 shortTitle: Get started
 intro: 'Learn how to configure {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_cloud %}.'
-permissions: 'Enterprise owners can configure {% data variables.product.prodname_actions %}.'
+permissions: 'Enterprise owners can configure {% data variables.product.prodname_actions %}.{% ifversion custom-org-roles %}<br><br>Users with the "Manage organization Actions policies" permission manage all settings on the "Actions General" settings page, except for self-hosted runners settings.<br><br>Users with the "Manage organization runners and runner groups" permission can manage GitHub-hosted runners, self-hosted runners, and runner groups, and control where self-hosted runners can be created.{% endif %}'
 versions:
   ghec: '*'
 type: how_to
@@ -31,4 +31,16 @@ For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managin
 
 If you choose self-hosted runners, you can add runners at the enterprise, organization, or repository levels. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)."
 
+{% ifversion custom-org-roles %}
+
+## Provisioning fine-grained permissions for {% data variables.product.prodname_actions %}
+
+Organization owners and users with the "Manage custom organization roles" permission can provision fine-grained permissions for users and teams in your organization. Provisioning fine-grained permissions for {% data variables.product.prodname_actions %} allows you to practice the principal of least privilege to secure settings in your {% data variables.product.prodname_actions %} CI/CD pipeline.
+
+{% data reusables.actions.org-roles-for-gh-actions %}
+
+For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/managing-custom-organization-roles)."
+
+{% endif %}
+
 {% data reusables.actions.general-security-hardening %}

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise.md

@@ -5,7 +5,7 @@ intro: 'You can configure a runner machine for your enterprise so your developer
 versions:
   ghec: '*'
   ghes: '*'
-permissions: 'Enterprise owners can configure policies for {% data variables.product.prodname_actions %} and add self-hosted runners to the enterprise.'
+permissions: 'Enterprise owners{% ifversion custom-org-roles %} and users with permissions{% endif %} can configure policies for {% data variables.product.prodname_actions %} and add self-hosted runners to the enterprise.'
 type: quick_start
 topics:
   - Actions
@@ -101,10 +101,12 @@ You've now deployed a self-hosted runner that can run jobs from {% data variable
 
 ## 4. Further restrict access to the self-hosted runner
 
-Optionally, organization owners can further restrict the access policy of the runner group that you created. For example, an organization owner could allow only certain repositories in the organization to use the runner group.
+Optionally, organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can further restrict the access policy of the runner group that you created. For example, an organization owner could allow only certain repositories in the organization to use the runner group.
 
 For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
 
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
 ## 5. Automatically scale your self-hosted runners
 
 {% ifversion actions-runner-controller %}Optionally, you can use {% data variables.product.prodname_actions_runner_controller %} (ARC) to automatically scale self-hosted runners. {% data reusables.actions.actions-runner-controller-about-arc %}

content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md

@@ -33,6 +33,8 @@ Consider combining OpenID Connect (OIDC) with reusable workflows to enforce cons
 
 You can access information about activity related to {% data variables.product.prodname_actions %} in the audit logs for your enterprise. If your business needs require retaining this information longer than audit log data is retained, plan how you'll export and store this data outside of {% data variables.product.prodname_dotcom %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/exporting-audit-log-activity-for-your-enterprise)" and "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)."{% else %}{% ifversion audit-log-streaming %}"[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)" and {% endif %}"[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/exploring-user-activity/log-forwarding)."{% endif %}
 
+{% ifversion custom-org-roles %}You can practice the principal of least privilege by administering custom organization roles for access to settings in your {% data variables.product.prodname_actions %} CI/CD pipeline. For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
 ## Security
 
 You should plan your approach to security hardening for {% data variables.product.prodname_actions %}.

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md

@@ -1,7 +1,7 @@
 ---
 title: Enforcing policies for GitHub Actions in your enterprise
 intro: 'You can enforce policies for {% data variables.product.prodname_actions %} within your enterprise''s organizations, or allow policies to be set in each organization.'
-permissions: 'Enterprise owners can enforce policies for {% data variables.product.prodname_actions %} in an enterprise.'
+permissions: 'Enterprise owners{% ifversion custom-org-roles %} and users with the "Manage organization Actions policies" permission{% endif %} can enforce policies for {% data variables.product.prodname_actions %} in an enterprise.'
 redirect_from:
   - /enterprise/admin/github-actions/enforcing-github-actions-policies-for-your-enterprise
   - /admin/github-actions/enforcing-github-actions-policies-for-your-enterprise
@@ -29,7 +29,9 @@ shortTitle: GitHub Actions policies
 
 {% data variables.product.prodname_actions %} helps members of your enterprise automate software development workflows on {% data variables.product.product_name %}. For more information, see "[AUTOTITLE](/actions/learn-github-actions/understanding-github-actions)."
 
-{% ifversion ghes %}If you enable {% data variables.product.prodname_actions %}, any{% else %}Any{% endif %} organization on {% data variables.location.product_location %} can use {% data variables.product.prodname_actions %}. You can enforce policies to control how members of your enterprise on {% data variables.product.product_name %} use {% data variables.product.prodname_actions %}. By default, organization owners can manage how members use {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
+{% ifversion ghes %}If you enable {% data variables.product.prodname_actions %}, any{% else %}Any{% endif %} organization on {% data variables.location.product_location %} can use {% data variables.product.prodname_actions %}. You can enforce policies to control how members of your enterprise on {% data variables.product.product_name %} use {% data variables.product.prodname_actions %}. By default, organization owners{% ifversion custom-org-roles %} and users with the "Manage organization Actions policies" permission{% endif %} can manage how members use {% data variables.product.prodname_actions %}. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 
 ## Enforcing a policy to restrict the use of {% data variables.product.prodname_actions %} in your enterprise
 
@@ -64,7 +66,9 @@ You can choose to disable {% data variables.product.prodname_actions %} for all
 
 {% data reusables.actions.disable-selfhosted-runners-overview %} For more information on creating self-hosted runners at the repository level, see "[AUTOTITLE](/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)."
 
-By default anyone with admin access to a repository can add a self-hosted runner for the repository. The enterprise settings allow you to disable the use of repository-level self-hosted runners across all repositories in your enterprise. If you allow repository-level self-hosted runners for your enterprise, organization owners can choose to allow or prevent creation of repository-level self-hosted runners for some or all repositories in their organization. For more information see, "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
+By default anyone with admin access to a repository can add a self-hosted runner for the repository. The enterprise settings allow you to disable the use of repository-level self-hosted runners across all repositories in your enterprise. If you allow repository-level self-hosted runners for your enterprise, organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can choose to allow or prevent creation of repository-level self-hosted runners for some or all repositories in their organization. For more information see, "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 
 {% data reusables.actions.disable-selfhosted-runners-note %}
 

content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md

@@ -1,12 +1,13 @@
 ---
 title: Disabling or limiting GitHub Actions for your organization
-intro: 'Organization owners can disable, enable, and limit GitHub Actions for an organization.'
+intro: 'You can enable, disable, and limit GitHub Actions for an organization.'
 redirect_from:
   - /github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization
 versions:
   fpt: '*'
   ghes: '*'
   ghec: '*'
+permissions:  Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization Actions policies" and "Manage runners and runner groups" fine-grained permissions{% endif %} can enable, disable, and limit {% data variables.product.prodname_actions %} for an organization. {% ifversion custom-org-roles %}<br><br>For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
 topics:
   - Organizations
   - Teams

content/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles.md

@@ -44,5 +44,9 @@ Manage the organization's custom properties definitions | Access to create and e
 Manage organization ref update rules and rulesets | Access to manage rulesets and view ruleset insights at the organization level. | "[AUTOTITLE](/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization)"
 {%- endif %}
 View organization audit log | Access to the audit log for the organization. The audit log may contain metadata for repositories in the organization. | "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)"
+Manage organization Actions policies | Access to manage all settings on the "Actions General" settings page, except for self-hosted runners settings. | "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)"
+Manage organization runners and runner groups | Access to create and manage GitHub-hosted runners, self-hosted runners, and runner groups, and control where self-hosted runners can be created. | "[AUTOTITLE](/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#overview-of-github-hosted-runners)"<br><br>"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)"
+Manage organization Actions secrets | Access to create and manage Actions organization secrets. | "[AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization)"
+Manage organization Actions variables | Access to create and manage Actions organization variables. | "[AUTOTITLE](/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization)"
 
 {% endrowheaders %}

data/reusables/actions/about-organization-level-runner-groups.md

@@ -1 +1 @@
-By default, all repositories in an organization are granted access to organization-level runner groups. To restrict which repositories have access, organization owners must configure organization runner groups and choose which repositories have access.
+By default, all repositories in an organization are granted access to organization-level runner groups. To restrict which repositories have access, organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} must configure organization runner groups and choose which repositories have access.

data/reusables/actions/about-runner-groups.md

@@ -1,8 +1,4 @@
-To control access to runners at the organization{% ifversion ghec or ghes %} and/or enterprise levels, enterprise and organization owners can use runner groups.{% else %} level, organizations using the {% data variables.product.prodname_team %} plan can use runner groups. {% endif %}
+To control access to runners at the organization{% ifversion ghec or ghes %} and/or enterprise levels, enterprise and organization owners can use runner groups.{% else %} level, organizations using the {% data variables.product.prodname_team %} plan can use runner groups.{% endif %} Runner groups are used to collect sets of runners and create a security boundary around them.
-
-Runner groups are used to collect sets of runners and create a security boundary around them. You can then decide which organizations or repositories are permitted to run jobs on those sets of machines.
-
-{%- ifversion ghec or ghes %} Enterprise administrators can configure access policies that control which organizations {% ifversion restrict-groups-to-workflows %}and workflows {% endif %}in an enterprise have access to the runner group.{% else %} Organization owners can configure access policies that control which repositories in an organization have access to the runner group.{% endif %}
 
 When you grant access to a runner group, you can see the runner group listed in the organization's runner settings. Optionally, you can assign additional granular repository{% ifversion restrict-groups-to-workflows %} and workflow{% endif %} access policies to the runner group.
 

data/reusables/actions/actions-tab-new-runners-note.md

@@ -1,5 +1,13 @@
 {% note %}
 
-**Note:** Enterprise and organization owners with privileges to create runners have the option to create new runners from this page. If you are an enterprise or organization owner, click **New runner** at the top right of the list of runners to add runners to the repository. For more information, see {% ifversion actions-hosted-runners %}"[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners)" and {% endif %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)."
+**Note:** Enterprise and organization owners{% ifversion custom-org-roles %} and users with the "Manage organization runners and runner groups" permission{% endif %} can create runners have the option to create new runners from this page. To create a new runner, click **New runner** at the top right of the list of runners to add runners to the repository.
+
+For more information, see {% ifversion actions-hosted-runners %}"[AUTOTITLE](/actions/using-github-hosted-runners/managing-larger-runners)" and {% endif %}"[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)."
+
+{% ifversion custom-org-roles %}
+
+For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+
+{% endif %}
 
 {% endnote %}

data/reusables/actions/creating-a-runner-group-for-an-organization.md

@@ -7,11 +7,17 @@ Always include a security admonition above this procedure. This is either one of
 
 {% endcomment %}
 
-All organizations have a single default runner group. {% ifversion fpt %}Organizations using the {% data variables.product.prodname_team %} plan{% else %}Organizations within an enterprise account{% endif %} can create additional groups. Organization admins can allow individual repositories access to a runner group. For information about how to create a runner group with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runner-groups)."
+{% note %}
 
-If no group is specified during the registration process, runners are automatically added to a default group. You can later move the runner from the default group to a custom group. For more information, see "[Moving a runner to a group](#moving-a-runner-to-a-group)."
+**Note:** When creating a runner group, you must choose a policy that defines which repositories{% ifversion restrict-groups-to-workflows %} and workflows{% endif %} have access to the runner group. To change which repositories and workflows can access the runner group, organization owners{% ifversion custom-org-roles %} and users with the “Manage organization runners and runner groups” permission{% endif %} can set a policy for the organization. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)."
 
-When creating a group, you must choose a policy that defines which repositories{% ifversion restrict-groups-to-workflows %} and workflows{% endif %} have access to the runner group.
+{% endnote %}
+
+All organizations have a single default runner group. {% ifversion fpt %}Organization owners using the {% data variables.product.prodname_team %} plan{% else %}Organization owners{% ifversion custom-org-roles %} and users with the the "Manage organization runners and runner groups" permission{% endif %}{% endif %} can create additional organization-level runner groups. {% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
+If no group is specified during the registration process, runners are automatically added to the default group. You can later move the runner from the default group to a custom group. For more information, see "[Moving a runner to a group](#moving-a-runner-to-a-group)."
+
+For information about how to create a runner group with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runner-groups)."
 
 {% data reusables.organizations.navigate-to-org %}
 {% data reusables.organizations.org_settings %}

data/reusables/actions/disable-selfhosted-runners-crossrefs.md

@@ -1 +1,5 @@
-{% ifversion ghec or ghes %}Enterprise owners and organization {% elsif fpt %}Organization {% endif %}owners can disable the ability to create self-hosted runners at the repository level. For more information, see {% ifversion ghec or ghes %}"[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)" and {% endif %}"[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners)."
+{% ifversion ghec or ghes %}Enterprise owners and organization {% elsif fpt %}Organization {% endif %}owners can choose which repositories are allowed to create repository-level self-hosted runners. {% ifversion custom-org-roles %}Users with the “Manage organization runners and runner groups” permission can only choose which repositories are allowed to create repository-level self-hosted runners for repositories in your organization{% endif %}.
+
+{% ifversion custom-org-roles %}For more information about custom organization roles, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}
+
+For more information, see {% ifversion ghec or ghes %}"[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)" and {% endif %}"[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners)."

data/reusables/actions/org-roles-for-gh-actions.md

@@ -0,0 +1,6 @@
+For {% data variables.product.prodname_actions %}, you can enable any of the following permissions for individuals or teams in your organization.
+
+- **Manage organization Actions policies:** Access to manage all settings on the "Actions General" settings page, except for self-hosted runners settings.
+- **Manage organization runners and runner groups:** Access to create and manage GitHub-hosted runners, self-hosted runners, and runner groups, and control where self-hosted runners can be created.
+- **Manage organization Actions secrets**: Access to create and manage Actions organization secrets.
+- **Manage organization Actions variables**: Access to create and manage Actions organization variables.

data/reusables/actions/permissions-statement-secrets-and-variables-organization.md

@@ -1 +1,3 @@
-To create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}at the organization level, you must be an organization owner.
+Organization owners{% ifversion custom-org-roles %} and users with the "Manage organization Actions variables" or "Manage organization Actions secrets" permissions{% endif %} can create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}at the organization level.{% ifversion custom-org-roles %}
+
+For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."{% endif %}

data/reusables/actions/secrets-and-variables-org-permissions.md

@@ -0,0 +1,9 @@
+{% ifversion custom-org-roles %}
+
+{% note %}
+
+**Note:** The "Actions secrets and variables" page may not show distinct tabs for secrets and variables depending on your permissions. Organization owners and users with both the "Manage organization Actions variables" and "Manage organization Actions secrets" permissions will see the **Variables** and **Secrets** tabs. For more information, see "[AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles)."
+
+{% endnote %}
+
+{% endif %}