Workflow Run Policies

PreviousStepSecurity Maintained Actions NextSettings

Last updated 2 days ago

Was this helpful?

Workflow Run Policies

This feature is currently available for early access. If you installed the StepSecurity Advanced App before May 1st, 2025, you will need to accept a new permission to enable Workflow Run policies:

actions: write

This permissions is required for StepSecurity Advanced App to cancel GitHub workflow runs.

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.

How It Works

When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:

Which runner labels are allowed or disallowed.
Which GitHub Actions are permitted, including internal/private actions.
Whether secrets can be used on non-default branches.

Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:

Policy Type

Description

Example Blocked Run

Workflow File

Runner Label Policy

Blocks runs if the runner label is not in an allowed list or is in a disallowed list.

Actions Policy

Blocks runs if a third-party or internal action is not on the allowed list.

Secret Exfiltration Policy

Blocks runs if GitHub Actions secrets are used on non-default branches, a common technique to exfiltrate secrets using a compromised developer account.

When a workflow run is blocked, you will see this message in the workflow run:

The run was canceled by @stepsecurity-app[bot].

PreviousStepSecurity Maintained Actions NextSettings

Last updated 2 days ago

Was this helpful?