# Workflow Run Policies

{% hint style="info" %}
This feature is currently available for early access. If you installed the [StepSecurity Advanced App](https://github.com/apps/stepsecurity-app) before **May 1st, 2025**, you will need to accept **a new permission** to enable Workflow Run policies:

* `actions: write`

This permissions is required for StepSecurity Advanced App to cancel GitHub workflow runs.
{% endhint %}

{% hint style="warning" %}
Available for **Enterprise** Tier only
{% endhint %}

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.

## How It Works

When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:

* Automatically block compromised GitHub Actions, preventing them from executing in your workflows
* Whether secrets can be used on non-default branches
* Which GitHub Actions are permitted, including internal/private actions
* Which runner labels are allowed or disallowed
* Whether workflows are required to run in a hardened environment via the Harden-Runner action

Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:

<table><thead><tr><th width="202.810791015625">Policy Type</th><th width="312.0450439453125">Description</th><th width="145.3828125">Example Blocked Run</th><th>Workflow File</th></tr></thead><tbody><tr><td><a href="/pages/VM2VHNg1kXWVmg8okUjB#compromised-actions-policy">Compromised Actions Policy</a></td><td>Blocks runs of compromised GitHub Actions </td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14963344708">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/blob/570526443e4ba306d7b2408a7e4259bd0226ccde/.github/workflows/ci.yml">Workflow</a></td></tr><tr><td><a href="/pages/VM2VHNg1kXWVmg8okUjB#secret-exfiltration-policy">Secret Exfiltration Policy</a></td><td>Prevents unauthorized access to Secrets</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775638558">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775638558/workflow">Workflow</a></td></tr><tr><td><a href="/pages/VM2VHNg1kXWVmg8okUjB#allowed-actions-policy">Allowed Actions Policy</a></td><td>Blocks runs if a third-party or internal action is not on the allowed list.</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775587778">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775587778/workflow">Workflow</a></td></tr><tr><td><a href="/pages/VM2VHNg1kXWVmg8okUjB#runner-label-policy">Runner Label Policy</a></td><td>Blocks runs if the runner label is not in an allowed list.</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775622822">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775622822/workflow">Workflow</a></td></tr><tr><td><a href="/pages/VM2VHNg1kXWVmg8okUjB#harden-runner-policy">Harden-Runner Policy</a></td><td>Blocks runs that do not have harden-runner action</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/24687232788">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/24687232788/workflow">Workflow</a></td></tr></tbody></table>

When a workflow run is blocked, you will see this message in the workflow run:

```
The run was canceled by @stepsecurity-app[bot].
```

Compliant workflow runs continue without any impact—everything runs as expected.

Use this interactive demo to learn how to set up an Actions policy in your organization:

{% embed url="<https://app.storylane.io/share/oyniugodihnf>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stepsecurity.io/github-actions/workflow-run-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.