Workflow Run Policies
Available for Enterprise Tier only
Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.
How It Works
When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:
Automatically block compromised GitHub Actions, preventing them from executing in your workflows
Whether secrets can be used on non-default branches
Which GitHub Actions are permitted, including internal/private actions
Which runner labels are allowed or disallowed
Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:
Blocks runs if a third-party or internal action is not on the allowed list.
When a workflow run is blocked, you will see this message in the workflow run:
The run was canceled by @stepsecurity-app[bot].
Compliant workflow runs continue without any impact—everything runs as expected.
Use this interactive demo to learn how to set up an Actions policy in your organization:
Last updated
Was this helpful?