Limit runners to specific actions

Hello all,

I’ve been studying the docs on self-hosted Actions runners for an infrastructure automation topic. I would like to have the ability to restrict when a self-hosted runner can be used but still be able to use it in multiple repositories.

For example:

  • being able to configure the runner with a list of accepted actions (reject a workflow that has any non-safelisted actions in jobs.<job_id>.steps[*].uses
  • being able to tell the runner to reject workflows that have steps with jobs.<job_id>.steps[*].name

The use case here is that runners could have higher privileges than a user with write access to a repo, and as an admin I would like to prevent users from running commands and actions which might be destructive.

Is this something already in the roadmap?


1 Like

It’s possible to restrict which actions can be used in workflows, but it’s not just for self-hosted runners but workflows in general: