Add Actions policy for reusable workflows (#26287)
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
This commit is contained in:
Lucas Costi
Binary file not shown.
|
After Width: | Height: | Size: 159 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 90 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 169 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 94 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 157 KiB |
BIN
assets/images/help/repository/actions-policy-with-workflows.png
Normal file
BIN
assets/images/help/repository/actions-policy-with-workflows.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 88 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 86 KiB |
@@ -48,7 +48,7 @@ For more information, see "[Creating starter workflows for your organization](/a
|
||||
A reusable workflow can be used by another workflow if {% ifversion ghes or ghec or ghae %}any{% else %}either{% endif %} of the following is true:
|
||||
|
||||
* Both workflows are in the same repository.
|
||||
* The called workflow is stored in a public repository.{% ifversion ghes or ghec or ghae %}
|
||||
* The called workflow is stored in a public repository{% if actions-workflow-policy %}, and your {% ifversion ghec %}enterprise{% else %}organization{% endif %} allows you to use public reusable workflows{% endif %}.{% ifversion ghes or ghec or ghae %}
|
||||
* The called workflow is stored in an internal repository and the settings for that repository allow it to be accessed. For more information, see {% if internal-actions %}"[Sharing actions and workflows with your enterprise](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise){% else %}"[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-an-internal-repository){% endif %}."{% endif %}
|
||||
|
||||
## Using runners
|
||||
|
||||
@@ -28,7 +28,7 @@ Alternatively, you can use runner machines that {% data variables.product.compan
|
||||
|
||||
This guide shows you how to apply a centralized management approach to self-hosted runners for {% data variables.product.prodname_actions %} in your enterprise. In the guide, you'll complete the following tasks.
|
||||
|
||||
1. Configure a limited policy to restrict the actions that can run within your enterprise
|
||||
1. Configure a limited policy to restrict the actions{% if actions-workflow-policy %} and reusable workflows{% endif %} that can run within your enterprise
|
||||
1. Deploy a self-hosted runner for your enterprise
|
||||
1. Create a group to manage access to the runners available to your enterprise
|
||||
1. Optionally, further restrict the repositories that can use the runner
|
||||
@@ -48,7 +48,7 @@ After you finish the guide, {% ifversion ghec or ghae %}members of your enterpri
|
||||
|
||||
## 1. Configure policies for {% data variables.product.prodname_actions %}
|
||||
|
||||
First, enable {% data variables.product.prodname_actions %} for all organizations, and configure a policy to restrict the actions that can run {% ifversion ghec or ghae%}within your enterprise on {% data variables.product.product_name %}{% elsif ghes %}on {% data variables.product.product_location %}{% endif %}. Optionally, organization owners can further restrict these policies for each organization.
|
||||
First, enable {% data variables.product.prodname_actions %} for all organizations, and configure a policy to restrict the actions{% if actions-workflow-policy %} and reusable workflows{% endif %} that can run {% ifversion ghec or ghae%}within your enterprise on {% data variables.product.product_name %}{% elsif ghes %}on {% data variables.product.product_location %}{% endif %}. Optionally, organization owners can further restrict these policies for each organization.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
@@ -56,9 +56,13 @@ First, enable {% data variables.product.prodname_actions %} for all organization
|
||||
1. Under "Policies", select **Enable for all organizations**.
|
||||
|
||||
|
||||
1. Select **Allow select actions** and **Allow actions created by GitHub** to allow local actions and actions created by {% data variables.product.company_short %}.
|
||||
1. Select {% data reusables.actions.policy-label-for-select-actions-workflows %} and **Allow actions created by GitHub** to allow local actions{% if actions-workflow-policy %} and reusable workflows{% endif %}, and actions created by {% data variables.product.company_short %}.
|
||||
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save**.
|
||||
|
||||
You can configure additional policies to restrict the actions available to {% ifversion ghec or ghae %}enterprise members{% elsif ghes %}users of {% data variables.product.product_location %}{% endif %}. For more information, see "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-to-run)."
|
||||
|
||||
@@ -26,11 +26,15 @@ Before you introduce {% data variables.product.prodname_actions %} to a large en
|
||||
|
||||
You should create a plan to govern your enterprise's use of {% data variables.product.prodname_actions %} and meet your compliance obligations.
|
||||
|
||||
Determine which actions your developers will be allowed to use. {% ifversion ghes %}First, decide whether you'll enable access to actions from outside your instance. {% data reusables.actions.access-actions-on-dotcom %} For more information, see "[About using actions in your enterprise](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise)."
|
||||
Determine which actions {% if actions-workflow-policy %}and reusable workflows{% endif %} your developers will be allowed to use. {% ifversion ghes %}First, decide whether you'll enable access to actions {% if actions-workflow-policy %}and reusable workflows{% endif %} from outside your instance. {% data reusables.actions.access-actions-on-dotcom %} For more information, see "[About using actions in your enterprise](/admin/github-actions/managing-access-to-actions-from-githubcom/about-using-actions-in-your-enterprise)."
|
||||
|
||||
Then,{% else %}First,{% endif %} decide whether you'll allow third-party actions that were not created by {% data variables.product.company_short %}. You can configure the actions that are allowed to run at the repository, organization, and enterprise levels and can choose to only allow actions that are created by {% data variables.product.company_short %}. If you do allow third-party actions, you can limit allowed actions to those created by verified creators or a list of specific actions. For more information, see "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository)", "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#managing-github-actions-permissions-for-your-organization)", and "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-to-restrict-the-use-of-actions-in-your-enterprise)."
|
||||
Then,{% else %}First,{% endif %} decide whether you'll allow third-party actions {% if actions-workflow-policy %}and reusable workflows{% endif %} that were not created by {% data variables.product.company_short %}. You can configure the actions {% if actions-workflow-policy %}and reusable workflows{% endif %} that are allowed to run at the repository, organization, and enterprise levels and can choose to only allow actions that are created by {% data variables.product.company_short %}. If you do allow third-party actions{% if actions-workflow-policy %} and reusable workflows{% endif %}, you can limit allowed actions to those created by verified creators or a list of specific actions{% if actions-workflow-policy %} and reusable workflows{% endif %}. For more information, see "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#managing-github-actions-permissions-for-your-repository)", "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#managing-github-actions-permissions-for-your-organization)", and "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-to-restrict-the-use-of-github-actions-in-your-enterprise)."
|
||||
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
{%- endif %}
|
||||
|
||||
{% ifversion ghec or ghae-issue-4757 %}
|
||||
Consider combining OpenID Connect (OIDC) with reusable workflows to enforce consistent deployments across your repository, organization, or enterprise. You can do this by defining trust conditions on cloud roles based on reusable workflows. For more information, see "[Using OpenID Connect with reusable workflows](/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows)."
|
||||
|
||||
@@ -33,34 +33,44 @@ shortTitle: GitHub Actions policies
|
||||
|
||||
{% ifversion ghes %}If you enable {% data variables.product.prodname_actions %}, any{% else %}Any{% endif %} organization on {% data variables.product.product_location %} can use {% data variables.product.prodname_actions %}. You can enforce policies to control how members of your enterprise on {% data variables.product.product_name %} use {% data variables.product.prodname_actions %}. By default, organization owners can manage how members use {% data variables.product.prodname_actions %}. For more information, see "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)."
|
||||
|
||||
## Enforcing a policy to restrict the use of actions in your enterprise
|
||||
## Enforcing a policy to restrict the use of {% data variables.product.prodname_actions %} in your enterprise
|
||||
|
||||
You can choose to disable {% data variables.product.prodname_actions %} for all organizations in your enterprise, or only allow specific organizations. You can also limit the use of public actions, so that people can only use local actions that exist in your enterprise.
|
||||
You can choose to disable {% data variables.product.prodname_actions %} for all organizations in your enterprise, or only allow specific organizations. You can also limit the use of public actions {% if actions-workflow-policy %}and reusable workflows{% endif %}, so that people can only use local actions {% if actions-workflow-policy %}and reusable workflows{% endif %} that exist in your enterprise.
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.actions.enterprise-actions-permissions %}
|
||||
1. Under "Policies", select your options.
|
||||
|
||||
{% indented_data_reference reusables.actions.actions-use-policy-settings spaces=3 %}
|
||||
|
||||
{%- ifversion ghes or ghae %}
|
||||
{% note %}
|
||||
|
||||
**Note:** To enable access to public actions{% if actions-workflow-policy %} and reusable workflows{% endif %}, you must first configure {% data variables.product.product_location %} to connect to {% data variables.product.prodname_dotcom_the_website %}. For more information, see "[Enabling automatic access to GitHub.com actions using GitHub Connect](/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)."
|
||||
|
||||
{% endnote %}
|
||||
{%- endif %}
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save**.
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
### Allowing select actions to run
|
||||
|
||||
{% data reusables.actions.allow-specific-actions-intro %}
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.policies-tab %}
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
1. Under **Policies**, select **Allow select actions** and add your required actions to the list.
|
||||
{%- ifversion ghes or ghae-issue-5094 %}
|
||||
|
||||
1. Under "Policies", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions{% if actions-workflow-policy %} and reusable workflows{% endif %} to the list.
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- elsif ghes or ghae-issue-5094 %}
|
||||
|
||||
{%- elsif ghae %}
|
||||
|
||||
|
||||
{%- endif %}
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
## Enforcing a policy for artifact and log retention in your enterprise
|
||||
|
||||
@@ -73,8 +83,6 @@ You can choose to disable {% data variables.product.prodname_actions %} for all
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.actions.change-retention-period-for-artifacts-logs %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Enforcing a policy for fork pull requests in your enterprise
|
||||
|
||||
You can enforce policies to control how {% data variables.product.prodname_actions %} behaves for {% data variables.product.product_location %} when members of your enterprise{% ifversion ghec %} or outside collaborators{% endif %} run workflows from forks.
|
||||
@@ -94,8 +102,6 @@ You can enforce policies to control how {% data variables.product.prodname_actio
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes or ghae %}
|
||||
|
||||
### Enforcing a policy for fork pull requests in private repositories
|
||||
|
||||
{% data reusables.actions.private-repository-forks-overview %}
|
||||
@@ -109,8 +115,6 @@ If a policy is enabled for an enterprise, the policy can be selectively disabled
|
||||
{% data reusables.enterprise-accounts.actions-tab %}
|
||||
{% data reusables.actions.private-repository-forks-configure %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghec or ghes > 3.1 or ghae %}
|
||||
|
||||
## Enforcing a policy for workflow permissions in your enterprise
|
||||
|
||||
@@ -12,6 +12,7 @@ topics:
|
||||
- Organizations
|
||||
- Teams
|
||||
shortTitle: Disable or limit actions
|
||||
miniTocMaxHeadingLevel: 3
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
@@ -23,13 +24,11 @@ shortTitle: Disable or limit actions
|
||||
|
||||
You can enable {% data variables.product.prodname_actions %} for all repositories in your organization. {% data reusables.actions.enabled-actions-description %} You can disable {% data variables.product.prodname_actions %} for all repositories in your organization. {% data reusables.actions.disabled-actions-description %}
|
||||
|
||||
Alternatively, you can enable {% data variables.product.prodname_actions %} for all repositories in your organization but limit the actions a workflow can run. {% data reusables.actions.enabled-local-github-actions %}
|
||||
Alternatively, you can enable {% data variables.product.prodname_actions %} for all repositories in your organization but limit the actions {% if actions-workflow-policy %}and reusable workflows{% endif %} a workflow can run.
|
||||
|
||||
## Managing {% data variables.product.prodname_actions %} permissions for your organization
|
||||
|
||||
You can disable all workflows for an organization or set a policy that configures which actions can be used in an organization.
|
||||
|
||||
{% data reusables.actions.actions-use-policy-settings %}
|
||||
You can choose to disable {% data variables.product.prodname_actions %} for all repositories in your organization, or only allow specific repositories. You can also limit the use of public actions{% if actions-workflow-policy %} and reusable workflows{% endif %}, so that people can only use local actions {% if actions-workflow-policy %}and reusable workflows{% endif %} that exist in your {% ifversion ghec or ghes or ghae %}enterprise{% else %}organization{% endif %}.
|
||||
|
||||
{% note %}
|
||||
|
||||
@@ -40,22 +39,30 @@ You can disable all workflows for an organization or set a policy that configure
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.settings-sidebar-actions-general %}
|
||||
1. Under **Policies**, select an option.
|
||||
|
||||
1. Click **Save**.
|
||||
1. Under "Policies", select an option.
|
||||
|
||||
## Allowing specific actions to run
|
||||
{% indented_data_reference reusables.actions.actions-use-policy-settings spaces=3 %}
|
||||
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save**.
|
||||
|
||||
{% data reusables.actions.allow-specific-actions-intro %}
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
{% data reusables.organizations.settings-sidebar-actions-general %}
|
||||
1. Under **Policies**, select **Allow select actions** and add your required actions to the list.
|
||||
{%- ifversion ghes %}
|
||||
|
||||
1. Under "Policies", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions{% if actions-workflow-policy %} and reusable workflows{% endif %} to the list.
|
||||
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- elsif ghes %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save**.
|
||||
|
||||
|
||||
@@ -17,6 +17,7 @@ topics:
|
||||
- Permissions
|
||||
- Pull requests
|
||||
shortTitle: Manage GitHub Actions settings
|
||||
miniTocMaxHeadingLevel: 3
|
||||
---
|
||||
|
||||
{% data reusables.actions.enterprise-beta %}
|
||||
@@ -28,13 +29,11 @@ shortTitle: Manage GitHub Actions settings
|
||||
|
||||
You can enable {% data variables.product.prodname_actions %} for your repository. {% data reusables.actions.enabled-actions-description %} You can disable {% data variables.product.prodname_actions %} for your repository altogether. {% data reusables.actions.disabled-actions-description %}
|
||||
|
||||
Alternatively, you can enable {% data variables.product.prodname_actions %} in your repository but limit the actions a workflow can run. {% data reusables.actions.enabled-local-github-actions %}
|
||||
Alternatively, you can enable {% data variables.product.prodname_actions %} in your repository but limit the actions {% if actions-workflow-policy %}and reusable workflows{% endif %} a workflow can run.
|
||||
|
||||
## Managing {% data variables.product.prodname_actions %} permissions for your repository
|
||||
|
||||
You can disable all workflows for a repository or set a policy that configures which actions can be used in a repository.
|
||||
|
||||
{% data reusables.actions.actions-use-policy-settings %}
|
||||
You can disable {% data variables.product.prodname_actions %} for a repository, or set a policy that configures which actions{% if actions-workflow-policy %} and reusable workflows{% endif %} can be used in the repository.
|
||||
|
||||
{% note %}
|
||||
|
||||
@@ -45,27 +44,31 @@ You can disable all workflows for a repository or set a policy that configures w
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.settings-sidebar-actions-general %}
|
||||
1. Under **Actions permissions**, select an option.
|
||||
1. Under "Actions permissions", select an option.
|
||||
|
||||
|
||||
{% indented_data_reference reusables.actions.actions-use-policy-settings spaces=3 %}
|
||||
|
||||
{% if actions-workflow-policy %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
{%- endif %}
|
||||
1. Click **Save**.
|
||||
|
||||
## Allowing specific actions to run
|
||||
|
||||
{% data reusables.actions.allow-specific-actions-intro %}
|
||||
|
||||
{% data reusables.repositories.navigate-to-repo %}
|
||||
{% data reusables.repositories.sidebar-settings %}
|
||||
{% data reusables.repositories.settings-sidebar-actions-general %}
|
||||
1. Under **Actions permissions**, select **Allow select actions** and add your required actions to the list.
|
||||
1. Under "Actions permissions", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions to the list.
|
||||
|
||||
{%- ifversion ghes %}
|
||||
|
||||
{% if actions-workflow-policy%}
|
||||
|
||||
{%- elsif ghes %}
|
||||
|
||||
{%- else %}
|
||||
|
||||
|
||||
{%- endif %}
|
||||
|
||||
1. Click **Save**.
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
|
||||
5
data/features/actions-workflow-policy.yml
Normal file
5
data/features/actions-workflow-policy.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
# Reference: #6478.
|
||||
# Versioning for enterprise/org/repo policy settings for reusable workflow use.
|
||||
versions:
|
||||
fpt: '*'
|
||||
ghec: '*'
|
||||
@@ -1,3 +1,3 @@
|
||||
If you choose **Allow select actions**, local actions are allowed, and there are additional options for allowing other specific actions. For more information, see "[Allowing specific actions to run](#allowing-specific-actions-to-run)."
|
||||
If you choose {% data reusables.actions.policy-label-for-select-actions-workflows %}, actions {% if actions-workflow-policy %}and reusable workflows{% endif %} within your {% ifversion ghec or ghes or ghae %}enterprise{% else %}organization{% endif %} are allowed, and there are additional options for allowing other specific actions{% if actions-workflow-policy %} and reusable workflows{% endif %}. For more information, see "[Allowing select actions{% if actions-workflow-policy %} and reusable workflows{% endif %} to run](#allowing-select-actions{% if actions-workflow-policy %}-and-reusable-workflows{% endif %}-to-run)."
|
||||
|
||||
When you allow local actions only, the policy blocks all access to actions authored by {% data variables.product.prodname_dotcom %}. For example, the [`actions/checkout`](https://github.com/actions/checkout) action would not be accessible.
|
||||
{% ifversion ghec or fpt %}When you allow actions{% if actions-workflow-policy %} and reusable workflows from only in{% else %} local to{% endif %} your {% ifversion ghec or ghes or ghae %}enterprise{% else %}organization{% endif %}, the policy blocks all access to actions authored by {% data variables.product.prodname_dotcom %}. For example, the [`actions/checkout`](https://github.com/actions/checkout) action would not be accessible.{% endif %}
|
||||
|
||||
@@ -1,19 +1,28 @@
|
||||
When you choose **Allow select actions**, local actions are allowed, and there are additional options for allowing other specific actions:
|
||||
<a name="allowing-select-actions-to-run"></a>
|
||||
<a name="allowing-specific-actions-to-run"></a>
|
||||
### Allowing select actions{% if actions-workflow-policy %} and reusable workflows{% endif %} to run
|
||||
|
||||
When you choose {% data reusables.actions.policy-label-for-select-actions-workflows %}, local actions{% if actions-workflow-policy %} and reusable workflows{% endif %} are allowed, and there are additional options for allowing other specific actions{% if actions-workflow-policy %} and reusable workflows{% endif %}:
|
||||
|
||||
- **Allow actions created by {% data variables.product.prodname_dotcom %}:** You can allow all actions created by {% data variables.product.prodname_dotcom %} to be used by workflows. Actions created by {% data variables.product.prodname_dotcom %} are located in the `actions` and `github` organizations. For more information, see the [`actions`](https://github.com/actions) and [`github`](https://github.com/github) organizations.{% ifversion fpt or ghes or ghae-issue-5094 or ghec %}
|
||||
- **Allow Marketplace actions by verified creators:** {% ifversion ghes or ghae-issue-5094 %}This option is available if you have {% data variables.product.prodname_github_connect %} enabled and configured with {% data variables.product.prodname_actions %}. For more information, see "[Enabling automatic access to GitHub.com actions using GitHub Connect](/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)."{% endif %} You can allow all {% data variables.product.prodname_marketplace %} actions created by verified creators to be used by workflows. When GitHub has verified the creator of the action as a partner organization, the {% octicon "verified" aria-label="The verified badge" %} badge is displayed next to the action in {% data variables.product.prodname_marketplace %}.{% endif %}
|
||||
- **Allow specified actions:** You can restrict workflows to use actions in specific organizations and repositories.
|
||||
- **Allow specified actions{% if actions-workflow-policy %} and reusable workflows{% endif %}:** You can restrict workflows to use actions{% if actions-workflow-policy %} and reusable workflows{% endif %} in specific organizations and repositories.
|
||||
|
||||
To restrict access to specific tags or commit SHAs of an action, use the same `<OWNER>/<REPO>@<TAG OR SHA>` syntax used in the workflow to select the action. For example, `actions/javascript-action@v1.0.1` to select a tag or `actions/javascript-action@172239021f7ba04fe7327647b213799853a9eb89` to select a SHA. For more information, see "[Finding and customizing actions](/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions)."
|
||||
To restrict access to specific tags or commit SHAs of an action{% if actions-workflow-policy %} or reusable workflow{% endif %}, use the same syntax used in the workflow to select the action{% if actions-workflow-policy %} or reusable workflow{% endif %}.
|
||||
|
||||
- For an action, the syntax is `<OWNER>/<REPO>@<TAG OR SHA>`. For example, use `actions/javascript-action@v1.0.1` to select a tag or `actions/javascript-action@172239021f7ba04fe7327647b213799853a9eb89` to select a SHA. For more information, see "[Finding and customizing actions](/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions)."
|
||||
{%- if actions-workflow-policy %}
|
||||
- For a reusable workflow, the syntax is `<OWNER>/<REPO>/<PATH>/<FILENAME>@<TAG OR SHA>`. For example, `octo-org/another-repo/.github/workflows/workflow.yml@v1`. For more information, see "[Reusing workflows](/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow)."
|
||||
{%- endif %}
|
||||
|
||||
You can use the `*` wildcard character to match patterns. For example, to allow all actions in organizations that start with `space-org`, you can specify `space-org*/*`. To add all actions in repositories that start with octocat, you can use `*/octocat*@*`. For more information about using the `*` wildcard, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)."
|
||||
You can use the `*` wildcard character to match patterns. For example, to allow all actions{% if actions-workflow-policy %} and reusable workflows{% endif %} in organizations that start with `space-org`, you can specify `space-org*/*`. To allow all actions{% if actions-workflow-policy %} and reusable workflows{% endif %} in repositories that start with octocat, you can use `*/octocat**@*`. For more information about using the `*` wildcard, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)."
|
||||
|
||||
{% ifversion fpt or ghec %}
|
||||
{% note %}
|
||||
|
||||
**Note:** The **Allow specified actions** option is only available in public repositories with the {% data variables.product.prodname_free_user %}, {% data variables.product.prodname_pro %}, {% data variables.product.prodname_free_team %} for organizations, or {% data variables.product.prodname_team %} plan.
|
||||
**Note:** The **Allow specified actions{% if actions-workflow-policy %} and reusable workflows{% endif %}** option is only available in public repositories with the {% data variables.product.prodname_free_user %}, {% data variables.product.prodname_pro %}, {% data variables.product.prodname_free_team %} for organizations, or {% data variables.product.prodname_team %} plan.
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
This procedure demonstrates how to add specific actions to the allow list.
|
||||
This procedure demonstrates how to add specific actions{% if actions-workflow-policy %} and reusable workflows{% endif %} to the allow list.
|
||||
|
||||
@@ -1 +1 @@
|
||||
By default, {% ifversion ghes or ghae %}after {% data variables.product.prodname_actions %} is enabled on {% data variables.product.product_location %}, it{% elsif fpt or ghec %}{% data variables.product.prodname_actions %}{% endif %} is enabled on all repositories and organizations. You can choose to disable {% data variables.product.prodname_actions %} or limit them to local actions only, which means that people can only use actions that exist in your repository.
|
||||
By default, {% ifversion ghes or ghae %}after {% data variables.product.prodname_actions %} is enabled on {% data variables.product.product_location %}, it{% elsif fpt or ghec %}{% data variables.product.prodname_actions %}{% endif %} is enabled on all repositories and organizations. You can choose to disable {% data variables.product.prodname_actions %} or limit it to actions {% if actions-workflow-policy %}and reusable workflows{% endif %} in your {% ifversion ghec or ghes or ghae %}enterprise{% else %}organization{% endif %}.
|
||||
|
||||
@@ -1 +1 @@
|
||||
When you enable {% data variables.product.prodname_actions %}, workflows are able to run actions located within your repository and any other{% ifversion fpt %} public{% elsif ghec or ghes %} public or internal{% elsif ghae %} internal{% endif %} repository.
|
||||
When you enable {% data variables.product.prodname_actions %}, workflows are able to run actions {% if actions-workflow-policy %}and reusable workflows{% endif %} located within your repository and any other{% ifversion fpt %} public{% elsif ghec or ghes %} public or internal{% elsif ghae %} internal{% endif %} repository.
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
When you enable local actions only, workflows can only run actions located in your repository, organization, or enterprise.
|
||||
@@ -1,12 +0,0 @@
|
||||
1. Under "Policies", select your options.
|
||||
|
||||
You can choose which organizations in your enterprise can use {% data variables.product.prodname_actions %}, and you can restrict access to public actions.
|
||||
|
||||
{% ifversion ghes %}
|
||||
{% note %}
|
||||
|
||||
**Note:** To enable access to public actions, you must first configure {% data variables.product.product_location %} to connect to {% data variables.product.prodname_marketplace %}. For more information, see "[Enabling automatic access to GitHub.com actions using GitHub Connect](/admin/github-actions/enabling-automatic-access-to-githubcom-actions-using-github-connect)."
|
||||
|
||||
{% endnote %}
|
||||
{% endif %}
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
{% if actions-workflow-policy %}{% ifversion ghec or ghes or ghae %}**Allow enterprise, and select non-enterprise, actions and reusable workflows**{% else %}**Allow *OWNER*, and select non-*OWNER*, actions and reusable workflows**{% endif %}{% else %}**Allow select actions**{% endif %}
|
||||
@@ -1,3 +1,3 @@
|
||||
## Permissions
|
||||
|
||||
The Permissions API allows you to set permissions for what enterprises, organizations, and repositories are allowed to run {% data variables.product.prodname_actions %}, and what actions are allowed to run.{% ifversion fpt or ghec or ghes %} For more information, see "[Usage limits, billing, and administration](/actions/reference/usage-limits-billing-and-administration#disabling-or-limiting-github-actions-for-your-repository-or-organization)."{% endif %}
|
||||
The Permissions API allows you to set permissions for what enterprises, organizations, and repositories are allowed to run {% data variables.product.prodname_actions %}, and what actions{% if actions-workflow-policy %} and reusable workflows{% endif %} are allowed to run.{% ifversion fpt or ghec or ghes %} For more information, see "[Usage limits, billing, and administration](/actions/reference/usage-limits-billing-and-administration#disabling-or-limiting-github-actions-for-your-repository-or-organization)."{% endif %}
|
||||
Reference in New Issue
Block a user