Workflow execution protections

Workflow execution protections let you control who can trigger GitHub Actions workflows and which events are permitted to run them across your organization.

이 기사에서

참고

Workflow execution protections are in 공개 미리 보기 and subject to change.

About workflow execution protections

Workflow execution protections let you define an allow list that controls who can trigger GitHub Actions workflows and which events are permitted to run them. Previously, a workflow ran based on the workflow file in the commit that triggered it, and an attacker with repository access could modify that file to run malicious code. Workflow execution protections close that gap. Administrators define the rules, and GitHub Actions evaluates them before a workflow runs, so an unauthorized actor or event never reaches execution.

Workflow execution protections are available at the enterprise, organization, and repository levels.

Backed by rulesets

Workflow execution protections are built on the GitHub rulesets framework, so the targeting you already know from rulesets works here too. You can apply protections with rulesets and scope them to specific repositories using repository custom properties. This means you can enforce broad protections from one place rather than configuring each workflow file individually. For more information about rulesets, see 규칙 세트에 대한 정보.

You can also use evaluate mode to run your rules without enforcing them. Evaluate mode shows you exactly what a rule would block before you enforce it, so you can roll out policies without breaking existing workflows.

Available rules

Event and actor are the first two rules, and GitHub plans to add more rules over time.

  • Actor rules control who can trigger workflows, including individual users, repository roles such as Read, Maintain, and Admin, GitHub Apps, Copilot, and Dependabot.
  • Event rules control which events are permitted, such as push, pull_request, pull_request_target, and workflow_dispatch.

By default, every user with write access to a repository can trigger workflows. Actor rules let you separate who contributes code from who runs your CI, so you can grant a contributor write access without granting them the ability to execute workflows.

Stop common attacker techniques

Workflow execution protections disrupt several real-world attack patterns:

  • Poisoned pipeline execution from pull requests. Restrict or prohibit pull_request_target, including in public repositories where it is most often exploited.
  • Manual-trigger abuse. Limit workflow_dispatch to maintainers so untrusted identities cannot start workflows.
  • Untrusted-actor execution. Block low-trust identities from triggering workflows entirely.
  • Misconfiguration exploitation. Apply central policy that overrides any single misconfigured workflow file.

Configuring workflow execution protections

You configure workflow execution protections in the new Policies section of your GitHub Actions settings. This Policies section is separate from your existing General settings.

  1. GitHub의 오른쪽 위 모서리에서 프로필 사진을 클릭한 다음, Your organizations를 클릭합니다.

  2. 조직을 클릭하여 선택합니다.

  3. 조직 이름에서 설정을 클릭합니다. "설정" 탭이 표시되지 않으면 드롭다운 메뉴를 선택한 다음 설정을 클릭합니다.

    조직 프로필에 있는 여러 탭의 스크린샷. "설정" 탭이 진한 주황색으로 표시됩니다.

  4. In the left sidebar, under Actions, click Policies.

  5. Create a ruleset, then add your event and actor rules.

  6. Choose whether the ruleset is active or in evaluate mode, then save your changes.