diff --git a/assets/images/help/settings/actions-fork-pull-request-approval.png b/assets/images/help/settings/actions-fork-pull-request-approval.png new file mode 100644 index 0000000000..07388a0d80 Binary files /dev/null and b/assets/images/help/settings/actions-fork-pull-request-approval.png differ diff --git a/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md b/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md index 351c238776..28d83bb82f 100644 --- a/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md +++ b/content/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks.md @@ -1,15 +1,21 @@ --- title: Approving workflow runs from public forks -intro: 'When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve any workflow runs.' +intro: 'When an outside contributor submits a pull request to a public repository, a maintainer with write access may need to approve any workflow runs.' product: '{% data reusables.gated-features.actions %}' versions: fpt: '*' shortTitle: Approve public fork runs --- -Forks of public repositories can submit pull requests that propose changes to a repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. To help prevent this, workflows on pull requests are not run automatically if they are received from first-time contributors, and must be approved first. +## About workflow runs from public forks -Maintainers with write access to the repository can use the following procedure to review and run workflows on pull requests from first-time contributors. After a contributor has at least one pull request merged into a project's repository, any future pull requests from that contributor's fork will automatically run workflows. +{% data reusables.actions.workflow-run-approve-public-fork %} However, you can configure this behavior for a [repository](/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#configuring-required-approval-for-workflows-from-public-forks), [organization](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#configuring-required-approval-for-workflows-from-public-forks), or [enterprise](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account#configuring-required-approval-for-workflows-from-public-forks). + +Workflow runs that have been awaiting approval for more than 30 days are automatically deleted. + +## Approving workflow runs on a pull request from a public fork + +Maintainers with write access to a repository can use the following procedure to review and run workflows on pull requests from contributors that require approval. {% data reusables.repositories.sidebar-pr %} {% data reusables.repositories.choose-pr-review %} diff --git a/content/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository.md b/content/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository.md index 7081a3f1fd..b24b691521 100644 --- a/content/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository.md +++ b/content/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository.md @@ -75,6 +75,19 @@ You can disable all workflows for a repository or set a policy that configures w 2. Click **Save**. {% endif %} +{% ifversion fpt %} +## Configuring required approval for workflows from public forks + +{% data reusables.actions.workflow-run-approve-public-fork %} You can configure this behavior for a repository using the procedure below. Modifying this setting overrides the configuration set at the organization or enterprise level. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-settings %} +{% data reusables.repositories.settings-sidebar-actions %} +{% data reusables.github-actions.workflows-from-public-fork-setting %} + +{% data reusables.actions.workflow-run-approve-link %} +{% endif %} + {% ifversion fpt or ghes > 2.22 %} ## Enabling workflows for private repository forks diff --git a/content/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account.md index 58bd4b1655..8cbec6d7e8 100644 --- a/content/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account.md +++ b/content/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account.md @@ -40,6 +40,17 @@ You can disable all workflows for an enterprise or set a policy that configures 1. Under **Policies**, select **Allow select actions** and add your required actions to the list. ![Add actions to allow list](/assets/images/help/organizations/enterprise-actions-policy-allow-list.png) +## Configuring required approval for workflows from public forks + +{% data reusables.actions.workflow-run-approve-public-fork %} You can configure this behavior for your enterprise using the procedure below. + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +{% data reusables.enterprise-accounts.actions-tab %} +{% data reusables.github-actions.workflows-from-public-fork-setting %} + +{% data reusables.actions.workflow-run-approve-link %} + ## Enabling workflows for private repository forks {% data reusables.github-actions.private-repository-forks-overview %} diff --git a/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md index fbde884d31..57e058f85e 100644 --- a/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md @@ -35,7 +35,8 @@ To search for specific events, use the `action` qualifier in your query. Actions |------------------|-------------------{% ifversion fpt %} | [`account`](#account-category-actions) | Contains all activities related to your organization account. | [`advisory_credit`](#advisory_credit-category-actions) | Contains all activities related to crediting a contributor for a security advisory in the {% data variables.product.prodname_advisory_database %}. For more information, see "[About {% data variables.product.prodname_dotcom %} Security Advisories](/github/managing-security-vulnerabilities/about-github-security-advisories)." -| [`billing`](#billing-category-actions) | Contains all activities related to your organization's billing. +| [`billing`](#billing-category-actions) | Contains all activities related to your organization's billing.{% ifversion fpt or ghes > 2.22 or ghae %} +| [`business`](#business-category-actions) | Contains activities related to business settings for an enterprise. |{% endif %} | [`codespaces`](#codespaces-category-actions) | Contains all activities related to your organization's codespaces. | [`dependabot_alerts`](#dependabot_alerts-category-actions) | Contains organization-level configuration activities for {% data variables.product.prodname_dependabot %} alerts in existing repositories. For more information, see "[About alerts for vulnerable dependencies](/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies)." | [`dependabot_alerts_new_repos`](#dependabot_alerts_new_repos-category-actions) | Contains organization-level configuration activities for {% data variables.product.prodname_dependabot %} alerts in new repositories created in the organization. @@ -44,7 +45,8 @@ To search for specific events, use the `action` qualifier in your query. Actions | [`dependency_graph`](#dependency_graph-category-actions) | Contains organization-level configuration activities for dependency graphs for repositories. For more information, see "[About the dependency graph](/github/visualizing-repository-data-with-graphs/about-the-dependency-graph)." | [`dependency_graph_new_repos`](#dependency_graph_new_repos-category-actions) | Contains organization-level configuration activities for new repositories created in the organization.{% endif %} | [`discussion_post`](#discussion_post-category-actions) | Contains all activities related to discussions posted to a team page. -| [`discussion_post_reply`](#discussion_post_reply-category-actions) | Contains all activities related to replies to discussions posted to a team page. +| [`discussion_post_reply`](#discussion_post_reply-category-actions) | Contains all activities related to replies to discussions posted to a team page.{% ifversion fpt or ghes > 2.21 %} +| [`enterprise`](#enterprise-category-actions) | Contains activities related to enterprise settings. | {% endif %} | [`hook`](#hook-category-actions) | Contains all activities related to webhooks. | [`integration_installation_request`](#integration_installation_request-category-actions) | Contains all activities related to organization member requests for owners to approve integrations for use in the organization. | | [`issue`](#issue-category-actions) | Contains activities related to deleting an issue. {% ifversion fpt %} @@ -165,7 +167,6 @@ For more information about the audit log REST API, see "[Organizations](/rest/re An overview of some of the most common actions that are recorded as events in the audit log. {% ifversion fpt %} - ### `account` category actions | Action | Description @@ -174,7 +175,9 @@ An overview of some of the most common actions that are recorded as events in th | `plan_change` | Triggered when an organization's [subscription](/articles/about-billing-for-github-accounts) changes. | `pending_plan_change` | Triggered when an organization owner or billing manager [cancels or downgrades a paid subscription](/articles/how-does-upgrading-or-downgrading-affect-the-billing-process/). | `pending_subscription_change` | Triggered when a [{% data variables.product.prodname_marketplace %} free trial starts or expires](/articles/about-billing-for-github-marketplace/). +{% endif %} +{% ifversion fpt %} ### `advisory_credit` category actions | Action | Description @@ -183,14 +186,27 @@ An overview of some of the most common actions that are recorded as events in th | `create` | Triggered when the administrator of a security advisory adds someone to the credit section. | `decline` | Triggered when someone declines credit for a security advisory. | `destroy` | Triggered when the administrator of a security advisory removes someone from the credit section. +{% endif %} +{% ifversion fpt %} ### `billing` category actions | Action | Description |------------------|------------------- | `change_billing_type` | Triggered when your organization [changes how it pays for {% data variables.product.prodname_dotcom %}](/articles/adding-or-editing-a-payment-method). | `change_email` | Triggered when your organization's [billing email address](/articles/setting-your-billing-email) changes. +{% endif %} +{% ifversion fpt or ghes > 2.22 or ghae %} +### `business` category actions + +| Action | Description +|------------------|-------------------{% endif %}{% ifversion fpt %} +| `set_actions_fork_pr_approvals_policy` | Triggered when the setting for requiring approvals for workflows from public forks is changed for an enterprise. For more information, see "[Requiring approval for workflows from public forks](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account#requiring-approval-for-workflows-from-public-forks)."{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %} +| `set_actions_retention_limit` | Triggered when the retention period for {% data variables.product.prodname_actions %} artifacts and logs is changed for an enterprise. For more information, see "[Configuring the retention period for {% data variables.product.prodname_actions %} artifacts and logs in your enterprise account](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-enterprise-account)."{% endif %}{% ifversion fpt or ghes > 2.22 %} +| `set_fork_pr_workflows_policy` | Triggered when the policy for workflows on private repository forks is changed. For more information, see "{% ifversion fpt %}[Enabling workflows for private repository forks](/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account#enabling-workflows-for-private-repository-forks){% else ifversion ghes > 2.22 %}[Enabling workflows for private repository forks](/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enforcing-github-actions-policies-for-your-enterprise#enabling-workflows-for-private-repository-forks){% endif %}."{% endif %} + +{% ifversion fpt %} ### `codespaces` category actions | Action | Description @@ -202,16 +218,18 @@ An overview of some of the most common actions that are recorded as events in th | `update_an_org_secret` | Triggered when a user updates an organization-level [secret for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-encrypted-secrets-for-codespaces#about-encrypted-secrets-for-codespaces). | `remove_an_org_secret` | Triggered when a user removes an organization-level [secret for {% data variables.product.prodname_codespaces %}](/github/developing-online-with-codespaces/managing-encrypted-secrets-for-codespaces#about-encrypted-secrets-for-codespaces). | `manage_access_and_security` | Triggered when a user updates [which repositories a codespace can access](/github/developing-online-with-codespaces/managing-access-and-security-for-codespaces). +{% endif %} - - +{% ifversion fpt %} ### `dependabot_alerts` category actions | Action | Description |------------------|------------------- | `disable` | Triggered when an organization owner disables {% data variables.product.prodname_dependabot_alerts %} for all existing {% ifversion fpt %}private {% endif %}repositories. For more information, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)." | `enable` | Triggered when an organization owner enables {% data variables.product.prodname_dependabot_alerts %} for all existing {% ifversion fpt %}private {% endif %}repositories. +{% endif %} +{% ifversion fpt %} ### `dependabot_alerts_new_repos` category actions | Action | Description @@ -232,7 +250,9 @@ An overview of some of the most common actions that are recorded as events in th |------------------|------------------- | `disable` | Triggered when an organization owner disables {% data variables.product.prodname_dependabot_security_updates %} for all new repositories. For more information, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)." | `enable` | Triggered when an organization owner enables {% data variables.product.prodname_dependabot_security_updates %} for all new repositories. +{% endif %} +{% ifversion fpt %} ### `dependency_graph` category actions | Action | Description @@ -246,7 +266,6 @@ An overview of some of the most common actions that are recorded as events in th |------------------|------------------- | `disable` | Triggered when an organization owner disables the dependency graph for all new repositories. For more information, see "[Managing security and analysis settings for your organization](/organizations/keeping-your-organization-secure/managing-security-and-analysis-settings-for-your-organization)." | `enable` | Triggered when an organization owner enables the dependency graph for all new repositories. - {% endif %} ### `discussion_post` category actions @@ -390,8 +409,11 @@ For more information, see "[Managing the publication of {% data variables.produc | `runner_group_updated` | Triggered when the configuration of a self-hosted runner group is changed. For more information, see "[Changing the access policy of a self-hosted runner group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)." | `runner_group_runners_added` | Triggered when a self-hosted runner is added to a group. For more information, see [Moving a self-hosted runner to a group](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group). | `runner_group_runner_removed` | Triggered when the REST API is used to remove a self-hosted runner from a group. For more information, see "[Remove a self-hosted runner from a group for an organization](/rest/reference/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization)." -| `runner_group_runners_updated`| Triggered when a runner group's list of members is updated. For more information, see "[Set self-hosted runners in a group for an organization](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)."{% endif %}{% ifversion fpt %}{% ifversion fpt or ghes > 2.21 %} -| `self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."{% endif %} +| `runner_group_runners_updated`| Triggered when a runner group's list of members is updated. For more information, see "[Set self-hosted runners in a group for an organization](/rest/reference/actions#set-self-hosted-runners-in-a-group-for-an-organization)."{% endif %}{% ifversion fpt or ghes > 2.21 %} +| `self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."{% endif %}{% ifversion fpt %} +| `set_actions_fork_pr_approvals_policy` | Triggered when the setting for requiring approvals for workflows from public forks is changed for an organization. For more information, see "[Requiring approval for workflows from public forks](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks)."{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %} +| `set_actions_retention_limit` | Triggered when the retention period for {% data variables.product.prodname_actions %} artifacts and logs is changed. For more information, see "[Configuring the retention period for {% data variables.product.prodname_actions %} artifacts and logs in your organization](/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization)."{% endif %}{% ifversion fpt or ghes > 2.22 %} +| `set_fork_pr_workflows_policy` | Triggered when the policy for workflows on private repository forks is changed. For more information, see "[Enabling workflows for private repository forks](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks)."{% endif %}{% ifversion fpt %} | `unblock_user` | Triggered when an organization owner [unblocks a user from an organization](/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization).{% endif %}{% ifversion fpt or ghes > 2.21 %} | `update_actions_secret` |Triggered when a {% data variables.product.prodname_actions %} secret is updated.{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %} | `update_new_repository_default_branch_setting` | Triggered when an owner changes the name of the default branch for new repositories in the organization. For more information, see "[Managing the default branch name for repositories in your organization](/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization)."{% endif %} @@ -555,7 +577,10 @@ For more information, see "[Managing the publication of {% data variables.produc | `remove_self_hosted_runner` | Triggered when a self-hosted runner is removed. For more information, see "[Removing a runner from a repository](/actions/hosting-your-own-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository)." {% endif %} | `remove_topic` | Triggered when a repository admin removes a topic from a repository. | `rename` | Triggered when [a repository is renamed](/articles/renaming-a-repository).{% ifversion fpt or ghes > 2.21 %} -| `self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."{% endif %} +| `self_hosted_runner_updated` | Triggered when the runner application is updated. Can be viewed using the REST API and the UI; not visible in the JSON/CSV export. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners)."{% endif %}{% ifversion fpt %} +| `set_actions_fork_pr_approvals_policy` | Triggered when the setting for requiring approvals for workflows from public forks is changed. For more information, see "[Requiring approval for workflows from public forks](/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#requiring-approval-for-workflows-from-public-forks)."{% endif %}{% ifversion fpt or ghes > 2.22 or ghae %} +| `set_actions_retention_limit` | Triggered when the retention period for {% data variables.product.prodname_actions %} artifacts and logs is changed. For more information, see "[Configuring the retention period for {% data variables.product.prodname_actions %} artifacts and logs in your repository](/github/administering-a-repository/managing-repository-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository)."{% endif %}{% ifversion fpt or ghes > 2.22 %} +| `set_fork_pr_workflows_policy` | Triggered when the policy for workflows on private repository forks is changed. For more information, see "[Enabling workflows for private repository forks](/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#enabling-workflows-for-private-repository-forks)."{% endif %} | `transfer` | Triggered when [a repository is transferred](/articles/how-to-transfer-a-repository). | `transfer_start` | Triggered when a repository transfer is about to occur. | `unarchived` | Triggered when a repository admin unarchives a repository.{% ifversion fpt or ghes > 2.21 %} diff --git a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md index f419a8cb9d..d2924db9e5 100644 --- a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md +++ b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md @@ -71,6 +71,19 @@ You can disable all workflows for an organization or set a policy that configure {% endif %} +{% ifversion fpt %} +## Configuring required approval for workflows from public forks + +{% data reusables.actions.workflow-run-approve-public-fork %} You can configure this behavior for an organization using the procedure below. Modifying this setting overrides the configuration set at the enterprise level. + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.settings-sidebar-actions %} +{% data reusables.github-actions.workflows-from-public-fork-setting %} + +{% data reusables.actions.workflow-run-approve-link %} +{% endif %} + {% ifversion fpt or ghes > 2.22 %} ## Enabling workflows for private repository forks diff --git a/data/reusables/actions/workflow-run-approve-link.md b/data/reusables/actions/workflow-run-approve-link.md new file mode 100644 index 0000000000..90f83dc52a --- /dev/null +++ b/data/reusables/actions/workflow-run-approve-link.md @@ -0,0 +1 @@ +For more information about approving workflow runs that this policy applies to, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)." diff --git a/data/reusables/actions/workflow-run-approve-public-fork.md b/data/reusables/actions/workflow-run-approve-public-fork.md new file mode 100644 index 0000000000..1eeb41311a --- /dev/null +++ b/data/reusables/actions/workflow-run-approve-public-fork.md @@ -0,0 +1,3 @@ +Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. + +To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows. diff --git a/data/reusables/developer-site/pull_request_forked_repos_link.md b/data/reusables/developer-site/pull_request_forked_repos_link.md index 985f5e30ac..a46c58ce61 100644 --- a/data/reusables/developer-site/pull_request_forked_repos_link.md +++ b/data/reusables/developer-site/pull_request_forked_repos_link.md @@ -11,7 +11,7 @@ When you create a pull request from a forked repository to the base repository, Workflows don't run on forked repositories by default. You must enable GitHub Actions in the **Actions** tab of the forked repository. {% ifversion fpt %} -When a first-time contributor submits a pull request to a public repository, a maintainer with write access must approve running workflows on the pull request. For more information, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)." +When a first-time contributor submits a pull request to a public repository, a maintainer with write access may need to approve running workflows on the pull request. For more information, see "[Approving workflow runs from public forks](/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)." {% endif %} {% data reusables.actions.forked-secrets %} The permissions for the `GITHUB_TOKEN` in forked repositories is read-only. For more information, see "[Authenticating with the GITHUB_TOKEN](/actions/configuring-and-managing-workflows/authenticating-with-the-github_token)." diff --git a/data/reusables/github-actions/workflows-from-public-fork-setting.md b/data/reusables/github-actions/workflows-from-public-fork-setting.md new file mode 100644 index 0000000000..14a92f7bfd --- /dev/null +++ b/data/reusables/github-actions/workflows-from-public-fork-setting.md @@ -0,0 +1,4 @@ +1. Under **Fork pull request workflows from outside collaborators**, select your option. The options are listed from least restrictive to most restrictive. + + ![Setting for approval for workflows from public forks](/assets/images/help/settings/actions-fork-pull-request-approval.png) +1. Click **Save** to apply the settings. \ No newline at end of file