Securing workflow_dispatch manual workflow?


Is there a way to secure workflow_dispatch workflow? I would like only Maintainers to be able to execute manual workflow (eg Deploy to EBS).

You can check who is triggering the workflow:
if: == 'noinarisak' || == 'kingthorin'

Example here:
It’s slightly different, it runs for anyone other than the actors we check, but same basic idea. (!= vs ==.)

Sadly there isn’t (currently) a way to check if your team or a specific role contains the I’ve submitted an enhancement request that they add something like @organization/some-team.contains( Just as I’m writing this reply it occurs to me that something like == 'Maintainer' might also be handy.

Edit: There’s also some more details from GitHub staff here: Who can manually trigger a workflow using workflow_dispatch :

To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository.
If the external users use a pull request to trigger workflow from the forked repository, the GITHUB_TOKEN only has read permissions for some scope.

Thanks @kingthorin!

if: = ... example will have to work for now. Your enhancement request would be ideal (eg @organization/some-team.contains(, especially because I have to address onboarding and offboarding members and its pain to keep updating the yaml every time. 1. The list of members is just an eyesore and leaves a lot of room for errors. :sweat_smile:

Is the GH Actions enhancement request something I can add my additional vote too?

Sadly the form seems to be private (one-off) use:

@noinarisak I just came across this other syntax which is slightly better, but still requires a list of usernames.

 if: contains('["kingthorin","noinarisak"]',

Ref: [GitHub Actions] branch conditional