Workflow Run Policies
This feature is currently available for early access. If you installed the StepSecurity Advanced App before May 1st, 2025, you will need to accept a new permission to enable Workflow Run policies:
actions: write
This permissions is required for StepSecurity Advanced App to cancel GitHub workflow runs.
Available for Enterprise Tier only
Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.
How It Works
When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:
Automatically block compromised GitHub Actions, preventing them from executing in your workflows
Whether secrets can be used on non-default branches
Which GitHub Actions are permitted, including internal/private actions
Which runner labels are allowed or disallowed
Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:
Blocks runs if a third-party or internal action is not on the allowed list.
When a workflow run is blocked, you will see this message in the workflow run:
Compliant workflow runs continue without any impact—everything runs as expected.
Use this interactive demo to learn how to set up an Actions policy in your organization:
Last updated
Was this helpful?