# Workflow Run Policies

{% hint style="info" %}
This feature is currently available for early access. If you installed the [StepSecurity Advanced App](https://github.com/apps/stepsecurity-app) before **May 1st, 2025**, you will need to accept **a new permission** to enable Workflow Run policies:

* `actions: write`

This permissions is required for StepSecurity Advanced App to cancel GitHub workflow runs.
{% endhint %}

{% hint style="warning" %}
Available for **Enterprise** Tier only
{% endhint %}

Workflow Run Policies allow you to enforce security controls by blocking GitHub Actions workflow runs that violate organization-defined policies. This is particularly useful for preventing misconfigurations and supply chain attacks in your CI/CD pipelines.

## How It Works

When a workflow run violates a policy, the run is automatically blocked. You can define policies such as:

* Automatically block compromised GitHub Actions, preventing them from executing in your workflows
* Whether secrets can be used on non-default branches
* Which GitHub Actions are permitted, including internal/private actions
* Which runner labels are allowed or disallowed

Below are the supported policy types and example runs where the policy enforcement blocked workflow execution:

<table><thead><tr><th width="131.6171875">Policy Type</th><th width="331.75">Description</th><th>Example Blocked Run</th><th>Workflow File</th></tr></thead><tbody><tr><td><a href="policies#compromised-actions-policy">Compromised Actions Policy</a></td><td>Blocks runs of compromised GitHub Actions </td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14963344708">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/blob/570526443e4ba306d7b2408a7e4259bd0226ccde/.github/workflows/ci.yml">Workflow</a></td></tr><tr><td><a href="policies#secret-exfiltration-policy">Secret Exfiltration Policy</a></td><td>Prevents unauthorized access to Secrets</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775638558">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775638558/workflow">Workflow</a></td></tr><tr><td><a href="policies#allowed-actions-policy">Allowed Actions Policy</a></td><td>Blocks runs if a third-party or internal action is not on the allowed list.</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775587778">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775587778/workflow">Workflow</a></td></tr><tr><td><a href="policies#runner-label-policy">Runner Label Policy</a></td><td>Blocks runs if the runner label is not in an allowed list.</td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775622822">Run</a></td><td><a href="https://github.com/actions-security-demo/run-policy-demo/actions/runs/14775622822/workflow">Workflow</a></td></tr></tbody></table>

When a workflow run is blocked, you will see this message in the workflow run:

```
The run was canceled by @stepsecurity-app[bot].
```

Compliant workflow runs continue without any impact—everything runs as expected.

Use this interactive demo to learn how to set up an Actions policy in your organization:

{% embed url="<https://app.storylane.io/share/oyniugodihnf>" %}