Add guide for enterprise-level self-hosted runners with GitHub Actions (#25123)
This commit is contained in:
Matt Pollard
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 36 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
@@ -13,7 +13,8 @@ learningTracks:
|
||||
- continuous_integration
|
||||
- continuous_deployment
|
||||
- deploy_to_the_cloud
|
||||
- '{% ifversion ghec or ghes or ghae %}adopting_github_actions_for_your_enterprise{% endif %}'
|
||||
- adopting_github_actions_for_your_enterprise_ghec
|
||||
- adopting_github_actions_for_your_enterprise_ghes_and_ghae
|
||||
- hosting_your_own_runners
|
||||
- create_actions
|
||||
includeGuides:
|
||||
|
||||
@@ -12,13 +12,16 @@ versions:
|
||||
type: overview
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
## About self-hosted runners
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-description %} Self-hosted runners can be physical, virtual, in a container, on-premises, or in a cloud.
|
||||
A self-hosted runner is a system that you deploy and manage to execute jobs from {% data variables.product.prodname_actions %} on {% ifversion ghae or ghec %}{% data variables.product.product_name %}{% else %}{% data variables.product.product_location %}{% endif %}. For more information about {% data variables.product.prodname_actions %}, see "[Understanding {% data variables.product.prodname_actions %}](/actions/learn-github-actions/understanding-github-actions){% ifversion fpt %}."{% elsif ghec or ghes or ghae %}" and "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."{% endif %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-description %} {% data reusables.actions.self-hosted-runner-locations %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-architecture %} {% data reusables.actions.runner-app-open-source %} When a new version is released, the runner application automatically updates itself when a job is assigned to the runner, or within a week of release if the runner hasn't been assigned any jobs.
|
||||
|
||||
You can add self-hosted runners at various levels in the management hierarchy:
|
||||
- Repository-level runners are dedicated to a single repository.
|
||||
@@ -59,7 +62,7 @@ You can use any machine as a self-hosted runner as long at it meets these requir
|
||||
* The machine has enough hardware resources for the type of workflows you plan to run. The self-hosted runner application itself only requires minimal resources.
|
||||
* If you want to run workflows that use Docker container actions or service containers, you must use a Linux machine and Docker must be installed.
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghec %}
|
||||
{% ifversion fpt or ghes > 3.2 or ghec or ghae-issue-4462 %}
|
||||
## Autoscaling your self-hosted runners
|
||||
|
||||
You can automatically increase or decrease the number of self-hosted runners in your environment in response to the webhook events you receive. For more information, see "[Autoscaling with self-hosted runners](/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners)."
|
||||
@@ -133,12 +136,7 @@ The self-hosted runner polls {% data variables.product.product_name %} to retrie
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-ports-protocols %}
|
||||
|
||||
{% ifversion ghae %}
|
||||
You must ensure that the self-hosted runner has appropriate network access to communicate with the {% data variables.product.prodname_ghe_managed %} URL and its subdomains.
|
||||
For example, if your instance name is `octoghae`, then you will need to allow the self-hosted runner to access `octoghae.githubenterprise.com`, `api.octoghae.githubenterprise.com`, and `codeload.octoghae.githubenterprise.com`.
|
||||
|
||||
If you use an IP address allow list for your {% data variables.product.prodname_dotcom %} organization or enterprise account, you must add your self-hosted runner's IP address to the allow list. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list)."
|
||||
{% endif %}
|
||||
{% data reusables.actions.self-hosted-runner-communications-for-ghae %}
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
@@ -242,3 +240,11 @@ Untrusted workflows running on your self-hosted runner pose significant security
|
||||
* Persisting unwanted or dangerous data on the machine.
|
||||
|
||||
For more information about security hardening for self-hosted runners, see "[Security hardening for {% data variables.product.prodname_actions %}](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)."
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[Getting started with self-hosted runners for your enterprise](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)"
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -13,7 +13,6 @@ type: tutorial
|
||||
shortTitle: Add self-hosted runners
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
@@ -33,6 +32,16 @@ For more information, see "[About self-hosted runners](/github/automating-your-w
|
||||
{% endwarning %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghec or ghes > 3.2 %}
|
||||
|
||||
You can set up automation to scale the number of self-hosted runners. For more information, see "[Autoscaling with self-hosted runners](/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Prerequisites
|
||||
|
||||
{% data reusables.actions.self-hosted-runners-prerequisites %}
|
||||
|
||||
## Adding a self-hosted runner to a repository
|
||||
|
||||
You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, you must be an organization owner or have admin access to the repository. For information about how to add a self-hosted runner with the REST API, see "[Self-hosted runners](/rest/reference/actions#self-hosted-runners)."
|
||||
@@ -53,6 +62,8 @@ You can add self-hosted runners to a single repository. To add a self-hosted run
|
||||
{% endif %}
|
||||
{% data reusables.actions.self-hosted-runner-check-installation-success %}
|
||||
|
||||
For more information, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners)."
|
||||
|
||||
## Adding a self-hosted runner to an organization
|
||||
|
||||
You can add self-hosted runners at the organization level, where they can be used to process jobs for multiple repositories in an organization. To add a self-hosted runner to an organization, you must be an organization owner. For information about how to add a self-hosted runner with the REST API, see "[Self-hosted runners](/rest/reference/actions#self-hosted-runners)."
|
||||
@@ -71,9 +82,10 @@ You can add self-hosted runners at the organization level, where they can be use
|
||||
1. Under {% ifversion ghes > 3.1 or ghae %}"Runners", click **Add new**, then click **New runner**.{% elsif ghes < 3.2 %}"Self-hosted runners", click **Add runner**."{% endif %}
|
||||
{% data reusables.actions.self-hosted-runner-configure %}
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-check-installation-success %}
|
||||
|
||||
For more information, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners)."
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-public-repo-access %}
|
||||
|
||||
## Adding a self-hosted runner to an enterprise
|
||||
@@ -81,29 +93,20 @@ You can add self-hosted runners at the organization level, where they can be use
|
||||
{% ifversion fpt %}If you use {% data variables.product.prodname_ghe_cloud %}, you{% elsif ghec or ghes or ghae %}You{% endif %} can add self-hosted runners to an enterprise, where they can be assigned to multiple organizations. The organization admins are then able to control which repositories can use it. {% ifversion fpt %}For more information, see the [{% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-enterprise).{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
New runners are assigned to the default group. You can modify the runner's group after you've registered the runner. For more information, see "[Managing access to self-hosted runners](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group)."
|
||||
|
||||
{% ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
To add a self-hosted runner to an enterprise account, you must be an enterprise owner. For information about how to add a self-hosted runner with the REST API, see the enterprise endpoints in the [{% data variables.product.prodname_actions %} REST API](/rest/reference/actions#self-hosted-runners).
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Click **New runner**.
|
||||
{% data reusables.actions.self-hosted-runner-configure %}
|
||||
{% elsif ghae or ghes < 3.4 %}
|
||||
To add a self-hosted runner at the enterprise level of {% data variables.product.product_location %}, you must be a site administrator.
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Click **Add new**, then click **New runner**.
|
||||
{% data reusables.actions.self-hosted-runner-configure %}
|
||||
To add a self-hosted runner to an enterprise, you must be an enterprise owner. For information about how to add a self-hosted runner with the REST API, see the enterprise endpoints in the [{% data variables.product.prodname_actions %} REST API](/rest/reference/actions#self-hosted-runners).
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-add-to-enterprise %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-check-installation-success %}
|
||||
|
||||
For more information, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners)."
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-public-repo-access %}
|
||||
|
||||
### Making enterprise runners available to repositories
|
||||
@@ -114,3 +117,11 @@ To make an enterprise-level self-hosted runner group available to an organizatio
|
||||
|
||||
For more information on changing runner group access settings, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[Getting started with self-hosted runners for your enterprise](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)"
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -5,10 +5,10 @@ versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
ghes: '>3.2'
|
||||
ghae: 'issue-4462'
|
||||
type: overview
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ defaultPlatform: linux
|
||||
shortTitle: Run runner app on startup
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -27,6 +27,6 @@ children:
|
||||
- /monitoring-and-troubleshooting-self-hosted-runners
|
||||
- /removing-self-hosted-runners
|
||||
---
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
@@ -12,7 +12,6 @@ type: tutorial
|
||||
shortTitle: Manage runner groups
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
@@ -69,17 +68,19 @@ When creating a group, you must choose a policy that defines which repositories
|
||||
|
||||
1. Enter a name for your runner group, and assign a policy for repository access.
|
||||
|
||||
{% ifversion ghes or ghae %} You can configure a runner group to be accessible to a specific list of repositories, or to all repositories in the organization. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.{% endif %}
|
||||
You can configure a runner group to be accessible to a specific list of repositories, or to all repositories in the organization.{% ifversion ghec or ghes %} By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.{% endif %}
|
||||
|
||||
{%- ifversion ghes %}
|
||||
{% warning %}
|
||||
|
||||
**Warning**
|
||||
**Warning**:
|
||||
|
||||
{% indented_data_reference reusables.actions.self-hosted-runner-security spaces=3 %}
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)."
|
||||
|
||||
{% endwarning %}
|
||||
{%- endif %}
|
||||
|
||||
|
||||
1. Click **Save group** to create the group and apply the policy.
|
||||
@@ -93,49 +94,29 @@ Self-hosted runners are automatically assigned to the default group when created
|
||||
|
||||
When creating a group, you must choose a policy that defines which organizations have access to the runner group.
|
||||
|
||||
{% ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runner-groups-tab %}
|
||||
1. Click **New runner group**.
|
||||
{% data reusables.actions.runner-group-assign-policy-org %}
|
||||
{% data reusables.actions.self-hosted-runner-groups-add-to-enterprise-first-steps %}
|
||||
1. To choose a policy for organization access, select the **Organization access** drop-down, and click a policy. You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise.{% ifversion ghes %} By default, only private repositories can access runners in a runner group, but you can override this.{% endif %}
|
||||
|
||||
{%- ifversion ghec or ghes %}
|
||||
{% warning %}
|
||||
|
||||
**Warning**
|
||||
|
||||
{% indented_data_reference reusables.actions.self-hosted-runner-security spaces=3 %}
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)."
|
||||
|
||||
{% endwarning %}
|
||||
{% data reusables.actions.self-hosted-runner-create-group %}
|
||||
{% elsif ghae or ghes < 3.4 %}
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Click **Add new**, and then **New group**.
|
||||
|
||||
|
||||
1. Enter a name for your runner group, and assign a policy for organization access.
|
||||
|
||||
You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning**
|
||||
**Warning**:
|
||||
|
||||
{% indented_data_reference reusables.actions.self-hosted-runner-security spaces=3 %}
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)."
|
||||
|
||||
{% endwarning %}
|
||||
{%- endif %}
|
||||
{%- ifversion ghec or ghes %}
|
||||
|
||||
|
||||
{%- elsif ghae %}
|
||||
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save group** to create the group and apply the policy.
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Changing the access policy of a self-hosted runner group
|
||||
@@ -146,15 +127,17 @@ You can update the access policy of a runner group, or rename a runner group.
|
||||
{% data reusables.actions.settings-sidebar-actions-runner-groups-selection %}
|
||||
1. Modify the access options, or change the runner group name.
|
||||
|
||||
{%- ifversion fpt or ghec or ghes %}
|
||||
{% warning %}
|
||||
|
||||
**Warning**
|
||||
**Warning**:
|
||||
|
||||
{% indented_data_reference reusables.actions.self-hosted-runner-security spaces=3 %}
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)."
|
||||
|
||||
{% endwarning %}
|
||||
{%- endif %}
|
||||
{% elsif ghae or ghes < 3.4 %}
|
||||
{% data reusables.actions.self-hosted-runner-configure-runner-group-access %}
|
||||
{% endif %}
|
||||
@@ -181,7 +164,7 @@ If you don't specify a runner group during the registration process, your new se
|
||||
{% data reusables.actions.self-hosted-runner-navigate-to-org-enterprise %}
|
||||
{% ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
1. In the "Runners" list, click the runner that you want to configure.
|
||||
2. Select the Runner group dropdown menu.
|
||||
2. Select the **Runner group** drop-down.
|
||||
3. In "Move runner to group", choose a destination group for the runner.
|
||||
{% elsif ghae or ghes < 3.4 %}
|
||||
1. In the {% ifversion ghes > 3.1 or ghae %}"Runner groups"{% elsif ghes < 3.2 %}"Self-hosted runners"{% endif %} section of the settings page, locate the current group of the runner you want to move and expand the list of group members.
|
||||
|
||||
@@ -15,7 +15,6 @@ defaultPlatform: linux
|
||||
shortTitle: Monitor & troubleshoot
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ type: tutorial
|
||||
shortTitle: Remove self-hosted runners
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -12,7 +12,6 @@ type: tutorial
|
||||
shortTitle: Proxy servers
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -10,7 +10,6 @@ type: tutorial
|
||||
shortTitle: Label runners
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -13,7 +13,6 @@ type: tutorial
|
||||
shortTitle: Use runners in a workflow
|
||||
---
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
{% data reusables.actions.enterprise-github-hosted-runners %}
|
||||
|
||||
|
||||
@@ -26,8 +26,22 @@ topics:
|
||||
|
||||
{% data variables.product.prodname_actions %} goes beyond just DevOps and lets you run workflows when other events happen in your repository. For example, you can run a workflow to automatically add the appropriate labels whenever someone creates a new issue in your repository.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
{% data variables.product.prodname_dotcom %} provides Linux, Windows, and macOS virtual machines to run your workflows, or you can host your own self-hosted runners in your own data center or cloud infrastructure.
|
||||
|
||||
{% elsif ghes or ghae %}
|
||||
|
||||
You must host your own Linux, Windows, or macOS virtual machines to run workflows for {% data variables.product.product_location %}. {% data reusables.actions.self-hosted-runner-locations %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
For more information about introducing {% data variables.product.prodname_actions %} to your enterprise, see "[Introducing {% data variables.product.prodname_actions %} to your enterprise](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## The components of {% data variables.product.prodname_actions %}
|
||||
|
||||
You can configure a {% data variables.product.prodname_actions %} _workflow_ to be triggered when an _event_ occurs in your repository, such as a pull request being opened or an issue being created. Your workflow contains one or more _jobs_ which can run in sequential order or in parallel. Each job will run inside its own virtual machine _runner_, or inside a container, and has one or more _steps_ that either run a script that you define or run an _action_, which is a reusable extension that can simplify your workflow.
|
||||
|
||||
@@ -263,7 +263,7 @@ This list describes the recommended approaches for accessing repository data wit
|
||||
|
||||
{% ifversion fpt or ghec %}**Self-hosted**{% elsif ghes or ghae %}Self-hosted{% endif %} runners for {% data variables.product.product_name %} do not have guarantees around running in ephemeral clean virtual machines, and can be persistently compromised by untrusted code in a workflow.
|
||||
|
||||
{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read-access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, depending on its settings, can grant {% else %} grants {% endif %}write-access permissions on the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.
|
||||
{% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which{% ifversion fpt or ghes > 3.1 or ghae or ghec %}, depending on its settings, can grant {% else %} grants {% endif %}write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner.
|
||||
|
||||
When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. For more information, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups)."
|
||||
|
||||
@@ -277,12 +277,12 @@ Some customers might attempt to partially mitigate these risks by implementing s
|
||||
|
||||
A self-hosted runner can be added to various levels in your {% data variables.product.prodname_dotcom %} hierarchy: the enterprise, organization, or repository level. This placement determines who will be able to manage the runner:
|
||||
|
||||
**Centralised management:**
|
||||
**Centralized management:**
|
||||
- If you plan to have a centralized team own the self-hosted runners, then the recommendation is to add your runners at the highest mutual organization or enterprise level. This gives your team a single location to view and manage your runners.
|
||||
- If you only have a single organization, then adding your runners at the organization level is effectively the same approach, but you might encounter difficulties if you add another organization in the future.
|
||||
|
||||
**De-centralised management:**
|
||||
- If each team will manage their own self-hosted runners, then its recommended that you add the runners at the highest level of team ownership. For example, if each team owns their own organization, then it will be simplest if the runners are added at the organization level too.
|
||||
**Decentralized management:**
|
||||
- If each team will manage their own self-hosted runners, then the recommendation is to add the runners at the highest level of team ownership. For example, if each team owns their own organization, then it will be simplest if the runners are added at the organization level too.
|
||||
- You could also add runners at the repository level, but this will add management overhead and also increases the numbers of runners you need, since you cannot share runners between repositories.
|
||||
|
||||
{% ifversion fpt or ghec or ghae-issue-4856 %}
|
||||
|
||||
@@ -22,7 +22,7 @@ topics:
|
||||
|
||||
## About {% data variables.product.prodname_actions %} for enterprises
|
||||
|
||||
With {% data variables.product.prodname_actions %}, you can improve developer productivity by automating every phase of your enterprise's software development workflow.
|
||||
{% data reusables.actions.about-actions-for-enterprises %}
|
||||
|
||||
| Task | More information |
|
||||
| ---- | ---------------- |
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
title: Getting started with GitHub Actions for GitHub AE
|
||||
shortTitle: Get started
|
||||
intro: 'Learn about configuring {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_managed %}.'
|
||||
permissions: 'Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
|
||||
permissions: 'Enterprise owners can enable {% data variables.product.prodname_actions %} and configure enterprise settings.'
|
||||
versions:
|
||||
ghae: '*'
|
||||
type: how_to
|
||||
@@ -17,9 +17,7 @@ redirect_from:
|
||||
|
||||
## About {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_managed %}
|
||||
|
||||
This article explains how site administrators can configure {% data variables.product.prodname_ghe_managed %} to use {% data variables.product.prodname_actions %}.
|
||||
|
||||
{% data variables.product.prodname_actions %} is enabled for {% data variables.product.prodname_ghe_managed %} by default. To get started using {% data variables.product.prodname_actions %} within your enterprise, you need to manage access permissions for {% data variables.product.prodname_actions %} and add runners to run workflows.
|
||||
{% data variables.product.prodname_actions %} is enabled for {% data variables.product.product_name %} by default. To get started using {% data variables.product.prodname_actions %} within your enterprise, you need to manage access permissions for {% data variables.product.prodname_actions %} and add runners to run workflows.
|
||||
|
||||
{% data reusables.actions.introducing-enterprise %}
|
||||
|
||||
@@ -31,6 +29,6 @@ You can use policies to manage access to {% data variables.product.prodname_acti
|
||||
|
||||
## Adding runners
|
||||
|
||||
You can configure and host servers to run jobs for your enterprise on {% data variables.product.product_name %}. {% data reusables.actions.about-self-hosted-runners %} For more information, see "[Hosting your own runners](/actions/hosting-your-own-runners)."
|
||||
You must configure and host your own machines to run jobs for your enterprise on {% data variables.product.product_name %}. {% data reusables.actions.about-self-hosted-runners %} For more information, see "[Getting started with self-hosted runners for your enterprise](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise)" and "[Hosting your own runners](/actions/hosting-your-own-runners)."
|
||||
|
||||
{% data reusables.actions.general-security-hardening %}
|
||||
|
||||
@@ -29,6 +29,6 @@ To run {% data variables.product.prodname_actions %} workflows, you need to use
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)."
|
||||
|
||||
If you choose self-hosted runners, you can add runners at the enterprise, organization, or repository levels. For more information, see "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)"
|
||||
If you choose self-hosted runners, you can add runners at the enterprise, organization, or repository levels. For more information, see "[Adding self-hosted runners](/actions/hosting-your-own-runners/adding-self-hosted-runners)."
|
||||
|
||||
{% data reusables.actions.general-security-hardening %}
|
||||
|
||||
@@ -148,6 +148,6 @@ For more information, see "[About using actions in your enterprise](/admin/githu
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Reserved Names
|
||||
## Reserved names
|
||||
|
||||
When you enable {% data variables.product.prodname_actions %} for your enterprise, two organizations are created: `github` and `actions`. If your enterprise already uses the `github` organization name, `github-org` (or `github-github-org` if `github-org` is also in use) will be used instead. If your enterprise already uses the `actions` organization name, `github-actions` (or `github-actions-org` if `github-actions` is also in use) will be used instead. Once actions is enabled, you won't be able to use these names anymore.
|
||||
|
||||
@@ -0,0 +1,150 @@
|
||||
---
|
||||
title: Getting started with self-hosted runners for your enterprise
|
||||
shortTitle: Self-hosted runners
|
||||
intro: You can configure a runner machine for your enterprise so your developers can start automating workflows with {% data variables.product.prodname_actions %}.
|
||||
versions:
|
||||
ghec: '*'
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
permissions: Enterprise owners can configure policies for {% data variables.product.prodname_actions %} and add self-hosted runners to the enterprise.
|
||||
type: quick_start
|
||||
topics:
|
||||
- Actions
|
||||
- Enterprise
|
||||
- Fundamentals
|
||||
---
|
||||
|
||||
## About self-hosted runners for {% data variables.product.prodname_actions %}
|
||||
|
||||
{% data reusables.actions.about-actions-for-enterprises %} For more information, see "[About {% data variables.product.prodname_actions %} for enterprises](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises)."
|
||||
|
||||
With {% data variables.product.prodname_actions %}, developers can write and combine individual tasks called actions to create custom workflows. {% ifversion ghes or ghae %}To enable {% data variables.product.prodname_actions %} for {% ifversion ghae %}your enterprise{% elsif ghes %} {% data variables.product.product_location %}{% endif %}, you must host at least one machine to execute jobs.{% endif %} {% ifversion ghec %}You can host your own runner machine to execute jobs, and this{% elsif ghes or ghae %}This{% endif %} machine is called a self-hosted runner. {% data reusables.actions.self-hosted-runner-locations %} {% data reusables.actions.self-hosted-runner-architecture %} {% ifversion ghec %}All{% elsif ghes or ghae %}Self-hosted{% endif %} runners can run Linux, Windows, or macOS. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners)."
|
||||
|
||||
{% ifversion ghec %}
|
||||
|
||||
Alternatively, you can use runner machines that {% data variables.product.company_short %} hosts. {% data variables.product.company_short %}-hosted runners are outside the scope of this guide. For more information, see "[About {% data variables.product.company_short %}-hosted runners](/actions/using-github-hosted-runners/about-github-hosted-runners)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
This guide shows you how to apply a centralized management approach to self-hosted runners for {% data variables.product.prodname_actions %} in your enterprise. In the guide, you'll complete the following tasks.
|
||||
|
||||
1. Configure a limited policy to restrict the actions that can run within your enterprise
|
||||
1. Deploy a self-hosted runner for your enterprise
|
||||
1. Create a group to manage access to the runners available to your enterprise
|
||||
1. Optionally, further restrict the repositories that can use the runner
|
||||
{%- ifversion ghec or ghae-issue-4462 or ghes > 3.2 %}
|
||||
1. Optionally, build custom tooling to automatically scale your self-hosted runners
|
||||
{% endif %}
|
||||
|
||||
You'll also find additional information about how to monitor and secure your self-hosted runners,{% ifversion ghes or ghae %} how to access actions from {% data variables.product.prodname_dotcom_the_website %},{% endif %} and how to customize the software on your runner machines.
|
||||
|
||||
After you finish the guide, {% ifversion ghec or ghae %}members of your enterprise{% elsif ghes %}users of {% data variables.product.product_location %}{% endif %} will be able to run workflow jobs from {% data variables.product.prodname_actions %} on a self-hosted runner machine.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
{% data reusables.actions.self-hosted-runners-prerequisites %}
|
||||
|
||||
- Your enterprise must own at least one organization. For more information, see "[About organizations](/organizations/collaborating-with-groups-in-organizations/about-organizations)" and "[Creating a new organization from scratch](/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch)."
|
||||
|
||||
## 1. Configure policies for {% data variables.product.prodname_actions %}
|
||||
|
||||
First, enable {% data variables.product.prodname_actions %} for all organizations, and configure a policy to restrict the actions that can run {% ifversion ghec or ghae%}within your enterprise on {% data variables.product.product_name %}{% elsif ghes %}on {% data variables.product.product_location %}{% endif %}. Optionally, organization owners can further restrict these policies for each organization.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
1. Under "Policies", select **Enable for all organizations**.
|
||||
|
||||
|
||||
1. Select **Allow select actions** and **Allow actions created by GitHub** to allow local actions and actions created by {% data variables.product.company_short %}.
|
||||
|
||||
|
||||
1. Click **Save**.
|
||||
|
||||
You can configure additional policies to restrict the actions available to {% ifversion ghec or ghae %}enterprise members{% elsif ghes %}users of {% data variables.product.product_location %}{% endif %}. For more information, see "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-to-run)."
|
||||
|
||||
## 2. Deploy the self-hosted runner for your enterprise
|
||||
|
||||
Next, add a self-hosted runner to your enterprise. {% data variables.product.product_name %} will guide you through installation of the necessary software on the runner machine. After you deploy the runner, you can verify connectivity between the runner machine and {%ifversion ghec or ghae %}your enterprise{% elsif ghes %}{% data variables.product.product_location %}{% endif %}.
|
||||
|
||||
### Adding the self-hosted runner
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-add-to-enterprise %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-check-installation-success %}
|
||||
|
||||
## 3. Manage access to the self-hosted runner using a group
|
||||
|
||||
You can create a runner group to manage access to the runner that you added to your enterprise. You'll use the group to choose which organizations can execute jobs from {% data variables.product.prodname_actions %} on the runner.
|
||||
|
||||
{% data variables.product.product_name %} adds all new runners to a group. Runners can be in one group at a time. By default, {% data variables.product.product_name %} adds new runners to the "Default" group.
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-groups-add-to-enterprise-first-steps %}
|
||||
1. To choose a policy for organization access, under "Organization access", select the **Organization access** drop-down, and click **Selected organizations**.
|
||||
1. To the right of the drop-down with the organization access policy, click {% octicon "gear" aria-label="The Gear icon" %}.
|
||||
1. Select the organizations you'd like to grant access to the runner group.
|
||||
{%- ifversion ghec or ghes %}
|
||||
1. Optionally, to allow public repositories in the selected organizations to use runners in the group, select **Allow public repositories**.
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning**:
|
||||
|
||||
{% indented_data_reference reusables.actions.self-hosted-runner-security spaces=3 %}
|
||||
|
||||
For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#self-hosted-runner-security-with-public-repositories)."
|
||||
|
||||
{% endwarning %}
|
||||
{%- endif %}
|
||||
{% data reusables.actions.self-hosted-runner-create-group %}
|
||||
{%- ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
1. Click the "Runners" tab.
|
||||
1. In the list of runners, click the runner that you deployed in the previous section.
|
||||
1. Click **Edit**.
|
||||
1. Click **Runner groups {% octicon "gear" aria-label="The Gear icon" %}**.
|
||||
1. In the list of runner groups, click the name of the group that you previously created.
|
||||
1. Click **Save** to move the runner to the group.
|
||||
{%- elsif ghes < 3.4 or ghae %}
|
||||
1. To the right of "Default", click the number of runners in the group to show the runners.
|
||||
1. Select the runner that you deployed.
|
||||
1. To the right of "Runner groups", select the **Move to group** dropdown, and click the group that you previously created.
|
||||
{%- endif %}
|
||||
|
||||
You've now deployed a self-hosted runner that can run jobs from {% data variables.product.prodname_actions %} within the organizations that you specified.
|
||||
|
||||
## 4. Further restrict access to the self-hosted runner
|
||||
|
||||
Optionally, organization owners can further restrict the access policy of the runner group that you created. For example, an organization owner could allow only certain repositories in the organization to use the runner group.
|
||||
|
||||
For more information, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group)."
|
||||
|
||||
{% ifversion ghec or ghae-issue-4462 or ghes > 3.2 %}
|
||||
|
||||
## 5. Automatically scale your self-hosted runners
|
||||
|
||||
Optionally, you can build custom tooling to automatically scale the self-hosted runners for {% ifversion ghec or ghae %}your enterprise{% elsif ghes %}{% data variables.product.product_location %}{% endif %}. For example, your tooling can respond to webhook events from {% data variables.product.product_location %} to automatically scale a cluster of runner machines. For more information, see "[Autoscaling with self-hosted runners](/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners)."
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Next steps
|
||||
|
||||
- You can monitor self-hosted runners and troubleshoot common issues. For more information, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners)."
|
||||
|
||||
- {% data variables.product.company_short %} recommends that you review security considerations for self-hosted runner machines. For more information, see "[Security hardening for {% data variables.product.prodname_actions %}](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)."
|
||||
|
||||
- {% ifversion ghec %}If you use {% data variables.product.prodname_ghe_server %} or {% data variables.product.prodname_ghe_managed %}, you{% elsif ghes or ghae %}You{% endif %} can manually sync repositories on {% data variables.product.prodname_dotcom_the_website %} containing actions to your enterprise on {% ifversion ghes or ghae %}{% data variables.product.product_name %}{% elsif ghec %}{% data variables.product.prodname_ghe_server %} or {% data variables.product.prodname_ghe_managed %}{% endif %}. Alternatively, you can allow members of your enterprise to automatically access actions from {% data variables.product.prodname_dotcom_the_website %} by using {% data variables.product.prodname_github_connect %}. For more information, see the following.
|
||||
|
||||
{%- ifversion ghes or ghae %}
|
||||
- "[Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}](/admin/github-actions/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom)"
|
||||
- "[Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)"
|
||||
{%- elsif ghec %}
|
||||
- "Manually syncing actions from {% data variables.product.prodname_dotcom_the_website %}" in the [{% data variables.product.prodname_ghe_server %}](/enterprise-server@latest//admin/github-actions/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom) or [{% data variables.product.prodname_ghe_managed %}](/github-ae@latest//admin/github-actions/managing-access-to-actions-from-githubcom/manually-syncing-actions-from-githubcom) documentation
|
||||
- "Enabling automatic access to {% data variables.product.prodname_dotcom_the_website %} actions using {% data variables.product.prodname_github_connect %}" in the [{% data variables.product.prodname_ghe_server %}](/enterprise-server@latest//admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) or [{% data variables.product.prodname_ghe_managed %}](/github-ae@latest//admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) documentation
|
||||
{%- endif %}
|
||||
|
||||
- You can customize the software available on your self-hosted runner machines, or configure your runners to run software similar to {% data variables.product.company_short %}-hosted runners{% ifversion ghes or ghae %} available for customers using {% data variables.product.prodname_dotcom_the_website %}{% endif %}. The software that powers runner machines for {% data variables.product.prodname_actions %} is open source. For more information, see the [`actions/runner`](https://github.com/actions/runner) and [`actions/virtual-environments`](https://github.com/actions/virtual-environments) repositories.
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[Configuring the self-hosted runner application as a service](/actions/hosting-your-own-runners/configuring-the-self-hosted-runner-application-as-a-service)"
|
||||
- "[Using self-hosted runners in a workflow](/actions/hosting-your-own-runners/using-self-hosted-runners-in-a-workflow)"
|
||||
@@ -15,6 +15,7 @@ children:
|
||||
- /getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
- /getting-started-with-github-actions-for-github-enterprise-server
|
||||
- /getting-started-with-github-actions-for-github-ae
|
||||
- /getting-started-with-self-hosted-runners-for-your-enterprise
|
||||
shortTitle: Get started
|
||||
---
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Enabling automatic access to GitHub.com actions using GitHub Connect
|
||||
intro: 'To allow {% data variables.product.prodname_actions %} in your enterprise to use actions from {% data variables.product.prodname_dotcom_the_website %}, you can connect your enterprise instance to {% data variables.product.prodname_ghe_cloud %}.'
|
||||
permissions: 'Site administrators for {% data variables.product.product_name %} who are also owners of the connected {% data variables.product.prodname_ghe_cloud %} organization or enterprise account can enable access to all {% data variables.product.prodname_dotcom_the_website %} actions.'
|
||||
permissions: 'Enterprise owners can enable access to all {% data variables.product.prodname_dotcom_the_website %} actions.'
|
||||
redirect_from:
|
||||
- /enterprise/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect
|
||||
- /admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect
|
||||
|
||||
@@ -13,7 +13,8 @@ learningTracks:
|
||||
- '{% ifversion ghae %}get_started_with_github_ae{% endif %}'
|
||||
- '{% ifversion ghes %}deploy_an_instance{% endif %}'
|
||||
- '{% ifversion ghes %}upgrade_your_instance{% endif %}'
|
||||
- adopting_github_actions_for_your_enterprise
|
||||
- adopting_github_actions_for_your_enterprise_ghec
|
||||
- adopting_github_actions_for_your_enterprise_ghes_and_ghae
|
||||
- '{% ifversion ghes %}increase_fault_tolerance{% endif %}'
|
||||
- '{% ifversion ghes %}improve_security_of_your_instance{% endif %}'
|
||||
- '{% ifversion ghes > 2.22 %}configure_github_actions{% endif %}'
|
||||
|
||||
@@ -69,7 +69,6 @@ changelog:
|
||||
label: enterprise
|
||||
featuredLinks:
|
||||
guides:
|
||||
- '{% ifversion ghae %}/billing/managing-billing-for-your-github-account/about-billing-for-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/user-management/auditing-users-across-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/configuration/restricting-network-traffic-to-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghes %}/admin/configuration/configuring-backups-on-your-appliance{% endif %}'
|
||||
@@ -79,6 +78,7 @@ featuredLinks:
|
||||
- '{% ifversion ghec %}/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/about-enterprise-managed-users{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-identity-and-access-management-for-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghec %}/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise{% endif %}'
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise
|
||||
guideCards:
|
||||
- '{% ifversion ghes > 2.22 %} /admin/github-actions/getting-started-with-github-actions-for-github-enterprise-server {% elsif ghes < 3.0 %} /admin/enterprise-management/upgrading-github-enterprise-server {% endif %}'
|
||||
- '{% ifversion ghes > 2.22 %} /admin/packages/getting-started-with-github-packages-for-your-enterprise {% elsif ghes < 3.0 %} /admin/user-management/customizing-user-messages-for-your-enterprise {% endif %}'
|
||||
@@ -94,6 +94,7 @@ featuredLinks:
|
||||
- '{% ifversion ghes %}/github/getting-started-with-github/setting-up-a-trial-of-github-enterprise-server{% endif %}'
|
||||
- '{% ifversion ghes %}/admin/installation{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/identity-and-access-management/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad{% endif %}'
|
||||
- '{% ifversion ghae %}/billing/managing-billing-for-your-github-account/about-billing-for-your-enterprise{% endif %}'
|
||||
- '{% ifversion ghae %}/admin/overview/about-upgrades-to-new-releases{% endif %}'
|
||||
- '{% ifversion ghae %}/get-started/signing-up-for-github/setting-up-a-trial-of-github-ae{% endif %}'
|
||||
- '{% ifversion ghes %}/billing/managing-your-license-for-github-enterprise{% endif %}'
|
||||
|
||||
@@ -1446,7 +1446,7 @@ This event occurs when someone triggers a workflow run on GitHub or sends a `POS
|
||||
{{ webhookPayloadsForCurrentVersion.workflow_dispatch }}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion fpt or ghes > 3.2 or ghec %}
|
||||
{% ifversion fpt or ghes > 3.2 or ghec or ghae-issue-4462 %}
|
||||
|
||||
## workflow_job
|
||||
|
||||
|
||||
@@ -36,9 +36,25 @@ deploy_to_the_cloud:
|
||||
- /actions/deployment/deploying-to-amazon-elastic-container-service
|
||||
- /actions/deployment/deploying-to-azure-app-service
|
||||
- /actions/deployment/deploying-to-google-kubernetes-engine
|
||||
adopting_github_actions_for_your_enterprise:
|
||||
adopting_github_actions_for_your_enterprise_ghec:
|
||||
title: 'Adopt GitHub Actions for your enterprise'
|
||||
description: 'Learn how to plan and implement a roll out of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
description: 'Learn how to plan and implement a rollout of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
guides:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises
|
||||
- /actions/learn-github-actions/understanding-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/migrating-your-enterprise-to-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
- /actions/security-guides/security-hardening-for-github-actions
|
||||
- /billing/managing-billing-for-github-actions/about-billing-for-github-actions
|
||||
adopting_github_actions_for_your_enterprise_ghes_and_ghae:
|
||||
title: 'Adopt GitHub Actions for your enterprise'
|
||||
description: 'Learn how to plan and implement a rollout of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
guides:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises
|
||||
- /actions/learn-github-actions/understanding-github-actions
|
||||
@@ -46,8 +62,9 @@ adopting_github_actions_for_your_enterprise:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/migrating-your-enterprise-to-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-ae
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise
|
||||
- /actions/security-guides/security-hardening-for-github-actions
|
||||
- /billing/managing-billing-for-github-actions/about-billing-for-github-actions
|
||||
hosting_your_own_runners:
|
||||
title: 'Host your own runners'
|
||||
description: 'You can create self-hosted runners to run workflows in a highly customizable environment.'
|
||||
|
||||
@@ -38,9 +38,26 @@ upgrade_your_instance:
|
||||
- /admin/configuration/enabling-and-scheduling-maintenance-mode
|
||||
- /admin/enterprise-management/upgrading-github-enterprise-server
|
||||
|
||||
adopting_github_actions_for_your_enterprise:
|
||||
adopting_github_actions_for_your_enterprise_ghec:
|
||||
title: 'Adopt GitHub Actions for your enterprise'
|
||||
description: 'Learn how to plan and implement a roll out of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
description: 'Learn how to plan and implement a rollout of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
guides:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises
|
||||
- /actions/learn-github-actions/understanding-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/migrating-your-enterprise-to-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
- /actions/security-guides/security-hardening-for-github-actions
|
||||
- /billing/managing-billing-for-github-actions/about-billing-for-github-actions
|
||||
|
||||
adopting_github_actions_for_your_enterprise_ghes_and_ghae:
|
||||
title: 'Adopt GitHub Actions for your enterprise'
|
||||
description: 'Learn how to plan and implement a rollout of {% data variables.product.prodname_actions %} in your enterprise.'
|
||||
versions:
|
||||
ghes: '*'
|
||||
ghae: '*'
|
||||
guides:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/about-github-actions-for-enterprises
|
||||
- /actions/learn-github-actions/understanding-github-actions
|
||||
@@ -48,8 +65,9 @@ adopting_github_actions_for_your_enterprise:
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/migrating-your-enterprise-to-github-actions
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-cloud
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-ae
|
||||
- /admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-self-hosted-runners-for-your-enterprise
|
||||
- /actions/security-guides/security-hardening-for-github-actions
|
||||
- /billing/managing-billing-for-github-actions/about-billing-for-github-actions
|
||||
|
||||
increase_fault_tolerance:
|
||||
title: 'Increase the fault tolerance of your instance'
|
||||
|
||||
1
data/reusables/actions/about-actions-for-enterprises.md
Normal file
1
data/reusables/actions/about-actions-for-enterprises.md
Normal file
@@ -0,0 +1 @@
|
||||
{% data variables.product.prodname_actions %} allows {% ifversion ghec or ghae %}members of your enterprise{% elsif ghes %}people who use {% data variables.product.product_location %}{% endif %} to improve productivity by automating every phase of the software development workflow.
|
||||
@@ -1 +1 @@
|
||||
This API is available for authenticated users, {% data variables.product.prodname_oauth_apps %}, and {% data variables.product.prodname_github_apps %}. Access tokens require [`repo` scope](/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes) for private repos and [`public_repo` scope](/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes) for {% ifversion ghae %} for internal repos that are available to everyone on the enterprise.{% else %}public repos.{% endif %}
|
||||
This API is available for authenticated users, {% data variables.product.prodname_oauth_apps %}, and {% data variables.product.prodname_github_apps %}. Access tokens require [`repo` scope](/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes) for private repositories and [`public_repo` scope](/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes) for {% ifversion ghae %}internal{% else %}public{% endif %} repositories.
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
{% ifversion ghae %}
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning:** Self-hosted runners are long-lived, and any compromise to the host machine could leak secrets or credentials or enable other attacks. For more information about the risks of using self-hosted runners, see "[Security hardening for {% data variables.product.prodname_actions %}](/actions/learn-github-actions/security-hardening-for-github-actions#potential-impact-of-a-compromised-runner)." For more information about the management of access to {% data variables.product.prodname_actions %} for {% data variables.product.product_location %}, see "[Enforcing {% data variables.product.prodname_actions %} policies for your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise)."
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
{% endif %}
|
||||
@@ -1 +1 @@
|
||||
By default, {% ifversion ghes or ghae %}after {% data variables.product.prodname_actions %} is enabled on {% data variables.product.product_location %}, it{% elsif fpt %}{% data variables.product.prodname_actions %}{% endif %} is enabled on all repositories and organizations. You can choose to disable {% data variables.product.prodname_actions %} or limit them to local actions only, which means that people can only use actions that exist in your repository.
|
||||
By default, {% ifversion ghes or ghae %}after {% data variables.product.prodname_actions %} is enabled on {% data variables.product.product_location %}, it{% elsif fpt or ghec %}{% data variables.product.prodname_actions %}{% endif %} is enabled on all repositories and organizations. You can choose to disable {% data variables.product.prodname_actions %} or limit them to local actions only, which means that people can only use actions that exist in your repository.
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes < 3.3 %}
|
||||
{% ifversion ghes < 3.3 or ghae %}
|
||||
{% note %}
|
||||
|
||||
**Note:** When a workflow uses an action by referencing the repository where the action is stored, {% data variables.product.prodname_actions %} will try to find the repository on your {% data variables.product.prodname_ghe_server %} instance first before falling back to {% data variables.product.prodname_dotcom_the_website %}. If a user creates an organization and repository in your enterprise that matches an organization and repository name on {% data variables.product.prodname_dotcom %}, the repository on your enterprise will be used in place of the {% data variables.product.prodname_dotcom %} repository. A malicious user could take advantage of this behavior to run code as part of a workflow.
|
||||
|
||||
@@ -25,8 +25,6 @@ For more information, see "[Virtual environments for {% data variables.product.p
|
||||
### Choosing self-hosted runners
|
||||
{% endif %}
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-labels-runs-on %}
|
||||
|
||||
#### Example: Using labels for runner selection
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
1. Enter a name for your runner group, and assign a policy for organization access.
|
||||
|
||||
You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.
|
||||
You can configure a runner group to be accessible to a specific list of organizations, or all organizations in the enterprise.{% ifversion ghec or ghes %} By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.{% endif %}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
1. Enter a name for your runner group, and assign a policy for repository access.
|
||||
|
||||
You can configure a runner group to be accessible to a specific list of repositories, or to all repositories in the organization. By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.
|
||||
You can configure a runner group to be accessible to a specific list of repositories, or to all repositories in the organization.{% ifversion ghec or ghes %} By default, only private repositories can access runners in a runner group, but you can override this. This setting can't be overridden if configuring an organization's runner group that was shared by an enterprise.{% endif %}
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
{%- ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Click **New runner**.
|
||||
{% data reusables.actions.self-hosted-runner-configure %}
|
||||
{%- elsif ghae or ghes < 3.4 %}
|
||||
To add a self-hosted runner to an enterprise, you must be an enterprise owner.
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Click **Add new**, then click **New runner**.
|
||||
{% data reusables.actions.self-hosted-runner-configure %}
|
||||
{%- endif %}
|
||||
@@ -0,0 +1 @@
|
||||
Your runner machine connects to {% data variables.product.product_name %} using the {% data variables.product.prodname_actions %} self-hosted runner application.
|
||||
@@ -3,8 +3,6 @@
|
||||
|
||||
After completing the steps to add a self-hosted runner, the runner and its status are now listed under {% ifversion fpt or ghec %}"Runners"{% elsif ghae or ghes %}"Self-hosted runners"{% endif %}.
|
||||
|
||||
The self-hosted runner application must be active for the runner to accept jobs. When the runner application is connected to {% data variables.product.product_name %} and ready to receive jobs, you will see the following message on machine's terminal.
|
||||
The self-hosted runner application must be active for the runner to accept jobs. When the runner application is connected to {% data variables.product.product_name %} and ready to receive jobs, you will see the following message on the machine's terminal.
|
||||
|
||||
{% data reusables.actions.self-hosted-runner-connected-output %}
|
||||
|
||||
For more information, see "[Monitoring and troubleshooting self-hosted runners](/actions/hosting-your-own-runners/monitoring-and-troubleshooting-self-hosted-runners)."
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
{% ifversion ghae %}
|
||||
|
||||
You must ensure that the self-hosted runner has appropriate network access to communicate with your {% data variables.product.prodname_ghe_managed %} URL and its subdomains.
|
||||
For example, if your instance name is `octoghae`, then you will need to allow the self-hosted runner to access `octoghae.githubenterprise.com`, `api.octoghae.githubenterprise.com`, and `codeload.octoghae.githubenterprise.com`.
|
||||
|
||||
If you use an IP address allow list for your organization or enterprise account on {% data variables.product.prodname_dotcom %}, you must add your self-hosted runner's IP address to the allow list. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list)."
|
||||
|
||||
{% endif %}
|
||||
@@ -14,6 +14,3 @@
|
||||
- Running the `config` script to configure the self-hosted runner application and register it with {% data variables.product.prodname_actions %}. The `config` script requires the destination URL and an automatically-generated time-limited token to authenticate the request.
|
||||
- On Windows, the `config` script also asks if you would like to install the self-hosted runner application as a service. For Linux and macOS, you can install a service after you finish adding the runner. For more information, see "[Configuring the self-hosted runner application as a service](/actions/automating-your-workflow-with-github-actions/configuring-the-self-hosted-runner-application-as-a-service)."
|
||||
- Running the self-hosted runner application to connect the machine to {% data variables.product.prodname_actions %}.
|
||||
{% ifversion fpt or ghec or ghes > 3.2 %}
|
||||
- If you are setting up a cluster of runners, you can install another tool to automatically scale your runners. For more information, see "[Autoscaling with self-hosted runners](/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners)."
|
||||
{% endif %}
|
||||
|
||||
@@ -1 +1 @@
|
||||
1. Click **Create group** to create the group and apply the policy.
|
||||
1. Click **{% ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}Create{%- elsif ghes < 3.4 or ghae %}Save{% endif %} group** to create the group and apply the policy.
|
||||
|
||||
@@ -1 +1 @@
|
||||
Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide. With self-hosted runners, you can choose to create a custom hardware configuration with more processing power or memory to run larger jobs, install software available on your local network, and choose an operating system not offered by {% data variables.product.prodname_dotcom %}-hosted runners.
|
||||
{% ifversion fpt or ghec %}Self-hosted runners offer more control of hardware, operating system, and software tools than {% data variables.product.prodname_dotcom %}-hosted runners provide. {% endif %}With self-hosted runners, you can create custom hardware configurations that meet your needs with processing power or memory to run larger jobs, install software available on your local network, and choose an operating system{% ifversion fpt or ghec %} not offered by {% data variables.product.prodname_dotcom %}-hosted runners{% endif %}.
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{%- ifversion ghec or ghes > 3.3 or ghae-issue-5091 %}
|
||||
{% data reusables.enterprise-accounts.actions-runner-groups-tab %}
|
||||
1. Click **New runner group**.
|
||||
{%- elsif ghes < 3.4 or ghae %}
|
||||
{% data reusables.enterprise-accounts.actions-runners-tab %}
|
||||
1. Use the **Add new** drop-down, and select **New group**.
|
||||
{%- endif %}
|
||||
1. Under "Group name", type a name for your runner group.
|
||||
1
data/reusables/actions/self-hosted-runner-locations.md
Normal file
1
data/reusables/actions/self-hosted-runner-locations.md
Normal file
@@ -0,0 +1 @@
|
||||
Self-hosted runners can be physical, virtual, in a container, on-premises, or in a cloud.
|
||||
@@ -1,3 +1 @@
|
||||
{% ifversion ghes or ghae %}
|
||||
The connection between self-hosted runners and {% data variables.product.product_name %} is over HTTP (port 80) and HTTPS (port 443).
|
||||
{% endif %}
|
||||
Self-hosted runners must be able to communicate with {% ifversion ghae %}your enterprise on {% data variables.product.product_name %}{% elsif fpt or ghec or ghes %}{% data variables.product.product_location %}{% endif %} over HTTP (port 80) and HTTPS (port 443).
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
{%- ifversion ghes %}
|
||||
- {% data variables.product.prodname_actions %} must be enabled for {% data variables.product.product_name %}. A site administrator can enable and configure {% data variables.product.prodname_actions %} for your instance. For more information, see "[Getting started with {% data variables.product.prodname_actions %} for {% data variables.product.prodname_ghe_server %}](/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/getting-started-with-github-actions-for-github-enterprise-server)."
|
||||
{%- endif %}
|
||||
|
||||
- You must have access to the machine you will use as a self-hosted runner in your environment.
|
||||
|
||||
- {% data reusables.actions.self-hosted-runner-ports-protocols %} For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github-ae)."
|
||||
@@ -1,7 +1,5 @@
|
||||
## Self-hosted runner groups
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
|
||||
The Self-hosted Runners Groups API allows you manage groups of self-hosted runners. For more information, see "[Managing access to self-hosted runners using groups](/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups)."
|
||||
|
||||
{% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} must have the `administration` permission for repositories or the `organization_self_hosted_runners` permission for organizations. Authenticated users must have admin access to repositories or organizations, or the `manage_runners:enterprise` scope for enterprises to use this API.
|
||||
@@ -1,7 +1,5 @@
|
||||
## Self-hosted runners
|
||||
|
||||
{% data reusables.actions.ae-self-hosted-runners-notice %}
|
||||
|
||||
The Self-hosted Runners API allows you to register, view, and delete self-hosted runners. {% data reusables.actions.about-self-hosted-runners %} For more information, see "[Hosting your own runners](/actions/hosting-your-own-runners)."
|
||||
|
||||
{% data reusables.actions.actions-authentication %} {% data variables.product.prodname_github_apps %} must have the `administration` permission for repositories the `organization_self_hosted_runners` permission for organizations. Authenticated users must have admin access to repositories or organizations, or the `manage_runners:enterprise` scope for enterprises to use this API.
|
||||
Reference in New Issue
Block a user