Run Policies
Last updated
Was this helpful?
Last updated
Was this helpful?
Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.
When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:
Which runner labels are allowed or disallowed.
Which GitHub Actions are permitted, including internal/private actions.
Whether secrets can be used on non-default branches.
Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:
Blocks runs if the runner label is not in an allowed list or is in a disallowed list.
Blocks runs if a third-party or internal action is not on the allowed list.
Blocks runs if GitHub Actions secrets are used on non-default branches, a common technique to exfiltrate secrets using a compromised developer account.
When a workflow run is blocked, you will see this message in the workflow run:
Use this interactive demo to learn how to set up an Actions policy in your organization: