Disabling local actions

I would like to restrict action usage in my org to an explicit allow list. The UI for setting action policies appears to suggest this is possible, as the 2nd policy “Allow local actions only” is clearly a subset of the 1st policy “Allow all actions”. However, the 3rd policy “Allow select actions” is neither a subset nor an “allow only”, as the UI implies.

Checking either box, or making entries in the “Allow specific actions” section, only appears to extend the allowed actions beyond the “local actions” scope.

Snippets that I’ve tried (based on the policy form doc link) include:

  • denying local actions: !octocat/* or !/octocat/**
  • allowing only a non-existent action: octocat/no_such_action

Has anyone had success configuring a policy to only allow specific actions?