diff --git a/assets/images/help/actions/actions-runners-disabled.png b/assets/images/help/actions/actions-runners-disabled.png new file mode 100644 index 000000000000..852e00829646 Binary files /dev/null and b/assets/images/help/actions/actions-runners-disabled.png differ diff --git a/assets/images/help/business-accounts/user-namespace-repo-kebab.png b/assets/images/help/business-accounts/user-namespace-repo-kebab.png new file mode 100644 index 000000000000..38290991eb93 Binary files /dev/null and b/assets/images/help/business-accounts/user-namespace-repo-kebab.png differ diff --git a/assets/images/help/business-accounts/view-user-namespace-repos.png b/assets/images/help/business-accounts/view-user-namespace-repos.png new file mode 100644 index 000000000000..8a2fe21f9add Binary files /dev/null and b/assets/images/help/business-accounts/view-user-namespace-repos.png differ diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md index 075ff7360c23..4632ea6bae6e 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners.md @@ -284,6 +284,14 @@ Untrusted workflows running on your self-hosted runner pose significant security For more information about security hardening for self-hosted runners, see "[AUTOTITLE](/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)." +{% ifversion actions-disable-repo-runners %} + +### Restricting the use of self-hosted runners + +{% data reusables.actions.disable-selfhosted-runners-crossrefs %} + +{% endif %} + {% ifversion ghec or ghes or ghae %} ## Further reading diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md index 2bf79dea5dec..0ca2c59cbcbd 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners.md @@ -52,6 +52,16 @@ You can register ephemeral runners that perform a single job before the registra You can add self-hosted runners to a single repository. To add a self-hosted runner to a user repository, you must be the repository owner. For an organization repository, you must be an organization owner or have admin access to the repository. For information about how to add a self-hosted runner with the REST API, see "[AUTOTITLE](/rest/actions#self-hosted-runners)." +{% ifversion actions-disable-repo-runners %} + +{% note %} + +**Note**: {% data reusables.actions.disable-selfhosted-runners-crossrefs %} + +{% endnote %} + +{% endif %} + {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.settings-sidebar-actions-runners %} diff --git a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md index b8bfd2bd5966..a2f8498bc9a2 100644 --- a/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md +++ b/content/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners.md @@ -18,6 +18,16 @@ shortTitle: Monitor & troubleshoot {% data reusables.actions.enterprise-github-hosted-runners %} +{% ifversion actions-disable-repo-runners %} + +## Using repository-level self-hosted runners + +You may not be able to create a self-hosted runner for an organization-owned repository. + +{% data reusables.actions.disable-selfhosted-runners-crossrefs %} + +{% endif %} + ## Checking the status of a self-hosted runner {% data reusables.actions.self-hosted-runner-management-permissions-required %} diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index dc9729415ddd..f9a37ea066a5 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -307,6 +307,12 @@ SBOMs are available for Ubuntu, Windows, and macOS runner images. You can locate {% ifversion fpt or ghec %}As a result, self-hosted runners should almost [never be used for public repositories](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security) on {% data variables.product.product_name %}, because any user can open pull requests against the repository and compromise the environment. Similarly, be{% elsif ghes or ghae %}Be{% endif %} cautious when using self-hosted runners on private or internal repositories, as anyone who can fork the repository and open a pull request (generally those with read access to the repository) are able to compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner. +{% ifversion actions-disable-repo-runners %} + +{% data reusables.actions.disable-selfhosted-runners-crossrefs %} + +{% endif %} + When a self-hosted runner is defined at the organization or enterprise level, {% data variables.product.product_name %} can schedule workflows from multiple repositories onto the same runner. Consequently, a security compromise of these environments can result in a wide impact. To help reduce the scope of a compromise, you can create boundaries by organizing your self-hosted runners into separate groups. You can restrict what {% ifversion restrict-groups-to-workflows %}workflows, {% endif %}organizations and repositories can access runner groups. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." You should also consider the environment of the self-hosted runner machines: diff --git a/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md b/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md index b5fb7d8a09b9..0765fd3dea26 100644 --- a/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md +++ b/content/admin/github-actions/getting-started-with-github-actions-for-your-enterprise/introducing-github-actions-to-your-enterprise.md @@ -87,7 +87,7 @@ You may need to upgrade the CPU and memory resources for {% data variables.locat {% ifversion ghec %}If you are using self-hosted runners, you have to decide whether you want to use physical machines, virtual machines, or containers.{% else %}Decide whether you want to use physical machines, virtual machines, or containers for your self-hosted runners.{% endif %} Physical machines will retain remnants of previous jobs, and so will virtual machines unless you use a fresh image for each job or clean up the machines after each job run. If you choose containers, you should be aware that the runner auto-updating will shut down the container, which can cause workflows to fail. You should come up with a solution for this by preventing auto-updates or skipping the command to kill the container. -You also have to decide where to add each runner. You can add a self-hosted runner to an individual repository, or you can make the runner available to an entire organization or your entire enterprise. Adding runners at the organization or enterprise levels allows sharing of runners, which might reduce the size of your runner infrastructure. You can use policies to limit access to self-hosted runners at the organization and enterprise levels by assigning groups of runners to specific repositories or organizations. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." +You also have to decide where to add each runner. You can add a self-hosted runner to an individual repository, or you can make the runner available to an entire organization or your entire enterprise. Adding runners at the organization or enterprise levels allows sharing of runners, which might reduce the size of your runner infrastructure. You can use policies to limit access to self-hosted runners at the organization and enterprise levels by assigning groups of runners to specific repositories or organizations. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners)" and "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups)." {% ifversion actions-disable-repo-runners %}You can also use policies to prevent people using repository-level self-hosted runners. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)."{% endif %} {% ifversion ghec or ghes %} You should consider using autoscaling to automatically increase or decrease the number of available self-hosted runners. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners)." diff --git a/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md b/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md index 686d18c452ed..559c9c697711 100644 --- a/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md +++ b/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md @@ -1086,7 +1086,8 @@ Before you'll see `git` category actions, you must enable Git events in the audi | Action | Description |--------|------------- -| `repo.access` | The visibility of a repository changed. +| `repo.access` | The visibility of a repository changed.{% ifversion emu-owned-repos %} +| `repo.temporary_access_granted` | Triggered when an enterprise owner temporarily enables access to a repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %} | `repo.actions_enabled` | {% data variables.product.prodname_actions %} was enabled for a repository. | `repo.add_member` | A collaborator was added to a repository. | `repo.add_topic` | A topic was added to a repository. diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md index cea42e721e7c..f4beb839e0af 100644 --- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md +++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md @@ -59,6 +59,32 @@ You can choose to disable {% data variables.product.prodname_actions %} for all {% data reusables.enterprise-accounts.actions-tab %} 1. Under "Policies", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} to the list. +{% ifversion actions-disable-repo-runners %} + +## Disabling repository-level self-hosted runners + +{% data reusables.actions.disable-selfhosted-runners-overview %} For more information on creating self-hosted runners at the repository level, see "[AUTOTITLE](/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository)." + +By default anyone with admin access to a repository can add a self-hosted runner for the repository. The enterprise settings allow you to disable the use of repository-level self-hosted runners across all repositories in your enterprise. If you allow repository-level self-hosted runners for your enterprise, organization owners can choose to allow or prevent creation of repository-level self-hosted runners for some or all repositories in their organization. For more information see, "[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization)." + +{% data reusables.actions.disable-selfhosted-runners-note %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +{% data reusables.enterprise-accounts.actions-tab %} +1. In the "Runners" section, select **Disable for all organizations**.{% ifversion ghec %} + + {% note %} + + **Note**: Owners of an {% data variables.enterprise.prodname_emu_enterprise %} can also choose to select **Disable in all Enterprise Managed User (EMU) repositories** to restrict runner creation for repositories that are owned by managed user accounts. + + {% endnote %} + + {% endif %} +1. Click **Save** to apply the change. + +{% endif %} + ## Enforcing a policy for artifact and log retention in your enterprise {% data variables.product.prodname_actions %} can store artifact and log files. For more information, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)." diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md index ed045fceb033..21b36eee2eac 100644 --- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md +++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise.md @@ -87,7 +87,7 @@ Across all organizations owned by your enterprise, you can allow members to crea If you allow members to create repositories in your organizations, you can choose which types of repositories (public, private, and internal) that members can create. {% ifversion enterprise-namespace-repo-setting %} -{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can also prevent users from creating repositories owned by their user accounts. +{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, you{% else %}You{% endif %} can also prevent users from creating repositories owned by their user accounts. {% ifversion emu-owned-repos %}If you allow users to create repositories owned by their user accounts, you can view and temporarily access those repositories at any time. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise)" and "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %} {% endif %} {% data reusables.repositories.internal-repo-default %} For more information about internal repositories, see "[AUTOTITLE](/repositories/creating-and-managing-repositories/creating-a-new-repository)." diff --git a/content/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise.md b/content/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise.md new file mode 100644 index 000000000000..ea72c0cbf2b7 --- /dev/null +++ b/content/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise.md @@ -0,0 +1,37 @@ +--- +title: Accessing user-owned repositories in your enterprise +intro: "You can temporarily access a repository owned by a user within your enterprise." +permissions: Enterprise owners can temporarily access user-owned repositories. +versions: + feature: 'emu-owned-repos' +type: how_to +topics: + - Enterprise + - Repositories +shortTitle: Access user-owned repos +--- + +{% note %} + +**Note:** Temporarily accessing user-owned repositories is currently in beta for {% data variables.product.prodname_emus %} and subject to change. + +{% endnote %} + +## About temporary access to user-owned repositories + +If your enterprise uses {% data variables.product.prodname_emus %}, and you've allowed users to create repositories owned by their user accounts, you can temporarily access any user-owned repository within your enterprise. + +When you temporarily access a repository, you get admin access to the repository for two hours. You can take all the same actions as the repository owner, including editing the repository, changing the repository's settings, transferring the repository, and deleting the repository. + +The repository owner will receive an email informing them that you have enabled temporary access to the repository, and a `repo.temporary_access_granted` event will be added to the audit log for your enterprise and the user's security log. + +## Temporarily accessing a repository + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +{% data reusables.enterprise-accounts.repositories-tab %} +{% data reusables.enterprise.view-user-namespace-repos %} +1. To the right of the repository you want to access, select the {% octicon "kebab-horizontal" aria-label="Access repository" %} dropdown menu, then click **Enable temporary access**. + + ![Screenshot of the list of user namespace repositories. To the right of a repository, a kebab icon is outlined in dark orange.](/assets/images/help/business-accounts/user-namespace-repo-kebab.png) +1. Read the warnings, then click **Yes, enable temporary access**. diff --git a/content/admin/user-management/managing-repositories-in-your-enterprise/index.md b/content/admin/user-management/managing-repositories-in-your-enterprise/index.md index 5cf00ef94dba..718bc2f4b669 100644 --- a/content/admin/user-management/managing-repositories-in-your-enterprise/index.md +++ b/content/admin/user-management/managing-repositories-in-your-enterprise/index.md @@ -1,15 +1,18 @@ --- title: Managing repositories in your enterprise -intro: You can manage the settings available to repository administrators in your enterprise. +intro: You can manage repositories in your enterprise. redirect_from: - /enterprise/admin/user-management/repositories - /enterprise/admin/user-management/managing-repositories-in-your-enterprise versions: + ghec: '*' ghes: '*' ghae: '*' topics: - Enterprise children: + - /viewing-user-owned-repositories-in-your-enterprise + - /accessing-user-owned-repositories-in-your-enterprise - /configuring-git-large-file-storage-for-your-enterprise - /migrating-to-internal-repositories - /disabling-git-ssh-access-on-your-enterprise @@ -17,4 +20,3 @@ children: - /troubleshooting-service-hooks shortTitle: Manage repositories --- - diff --git a/content/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md b/content/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md new file mode 100644 index 000000000000..23b440b8b85c --- /dev/null +++ b/content/admin/user-management/managing-repositories-in-your-enterprise/viewing-user-owned-repositories-in-your-enterprise.md @@ -0,0 +1,27 @@ +--- +title: Viewing user-owned repositories in your enterprise +intro: "You can view all repositories owned by users within your enterprise." +permissions: Enterprise owners can view user-owned repositories. +versions: + feature: 'emu-owned-repos' +type: how_to +topics: + - Enterprise + - Repositories +shortTitle: View user-owned repos +--- + +{% note %} + +**Note:** Viewing user-owned repositories is currently in beta for {% data variables.product.prodname_emus %} and subject to change. + +{% endnote %} + +If your enterprise uses {% data variables.product.prodname_emus %}, and you've allowed users to create repositories owned by their user accounts, you can view all user-owned repositories within your enterprise. + +You can also temporarily access any user-owned repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)." + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.policies-tab %} +{% data reusables.enterprise-accounts.repositories-tab %} +{% data reusables.enterprise.view-user-namespace-repos %} diff --git a/content/authentication/keeping-your-account-and-data-secure/security-log-events.md b/content/authentication/keeping-your-account-and-data-secure/security-log-events.md index 724072373f94..ff70a3155af2 100644 --- a/content/authentication/keeping-your-account-and-data-secure/security-log-events.md +++ b/content/authentication/keeping-your-account-and-data-secure/security-log-events.md @@ -119,7 +119,8 @@ topics: | Action | Description |------------------|------------------- -| `access` | Triggered when you [change the visibility of a repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility). +| `access` | Triggered when you [change the visibility of a repository](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility).{% ifversion emu-owned-repos %} + | `temporary_access_granted` | Triggered when an enterprise owner enables temporary access to a repository. For more information, see "[AUTOTITLE](/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise)."{% endif %} | `add_member` | Triggered when a {% data variables.product.product_name %} user is {% ifversion fpt or ghec %}[invited to have collaboration access](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository){% else %}[given collaboration access](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository){% endif %} to a repository. | `add_topic` | Triggered when a repository owner [adds a topic](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics) to a repository. | `archived` | Triggered when a repository owner [archives a repository](/repositories/archiving-a-github-repository/archiving-repositories).{% ifversion ghes %} @@ -135,7 +136,7 @@ topics: | `remove_member` | Triggered when a {% data variables.product.product_name %} user is [removed from a repository as a collaborator](/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository). | `remove_topic` | Triggered when a repository owner removes a topic from a repository. | `rename` | Triggered when [a repository is renamed](/repositories/creating-and-managing-repositories/renaming-a-repository). -| `staff_unlock` | Triggered when an enterprise owner or {% data variables.contact.github_support %} (with permission from a repository administrator) temporarily unlocked the repository. The visibility of the repository isn't changed. +| `staff_unlock` | Triggered when an enterprise owner or {% data variables.contact.github_support %} (with permission from a repository administrator) temporarily unlocks the repository. The visibility of the repository isn't changed. | `transfer` | Triggered when [a repository is transferred](/repositories/creating-and-managing-repositories/transferring-a-repository). | `transfer_start` | Triggered when a repository transfer is about to occur. | `unarchived` | Triggered when a repository owner unarchives a repository. diff --git a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md index cf16107b0a66..009baa141b4e 100644 --- a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md +++ b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md @@ -50,6 +50,42 @@ You can choose to disable {% data variables.product.prodname_actions %} for all 1. Under "Policies", select {% data reusables.actions.policy-label-for-select-actions-workflows %} and add your required actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} to the list. 1. Click **Save**. +{% ifversion actions-disable-repo-runners %} + +## Limiting the use of self-hosted runners + +{% data reusables.actions.disable-selfhosted-runners-overview %} + +{% ifversion ghec or ghes %} + +{% note %} + +**Note**: If your organization belongs to an enterprise, creation of self-hosted runners at the repository level may have been disabled as an enterprise-wide setting. If this has been done, you cannot enable repository-level self-hosted runners in your organization settings. For more information, see "[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise)." + +{% endnote %} + +{% endif %} + +If a repository already has self-hosted runners when you disable their use, these will be listed with the status "Disabled" and they will not be assigned any new workflow jobs. + +![Screenshot of the "Runners" list showing a self-hosted runner with the status "Disabled."](/assets/images/help/actions/actions-runners-disabled.png) + +{% data reusables.actions.disable-selfhosted-runners-note %} + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.settings-sidebar-actions-general %} +1. Under "Runners," use the dropdown menu to choose your preferred setting: + - **All repositories** - self-hosted runners can be used for any repository in your organization. + - **Selected repositories** - self-hosted runners can only be used for the repositories you select. + - **Disabled** - self-hosted runners cannot be created at the repository level. +1. If you choose **Selected repositories**: + 1. Click {% octicon "gear" aria-label="Select repositories" %}. + 1. Select the check boxes for the repositories for which you want to allow self-hosted runners. + 1. Click **Select repositories**. + +{% endif %} + {% ifversion fpt or ghec %} ## Configuring required approval for workflows from public forks diff --git a/data/features/actions-disable-repo-runners.yml b/data/features/actions-disable-repo-runners.yml new file mode 100644 index 000000000000..83784cbf4e89 --- /dev/null +++ b/data/features/actions-disable-repo-runners.yml @@ -0,0 +1,6 @@ +# Reference: #10198 +# Documentation for the ability to disable repo-level self-hosted runners +versions: + fpt: '*' + ghec: '*' + ghes: '>= 3.10' diff --git a/data/features/emu-owned-repos.yml b/data/features/emu-owned-repos.yml new file mode 100644 index 000000000000..1a45eecc8073 --- /dev/null +++ b/data/features/emu-owned-repos.yml @@ -0,0 +1,2 @@ +versions: + ghec: '*' diff --git a/data/reusables/actions/disable-selfhosted-runners-crossrefs.md b/data/reusables/actions/disable-selfhosted-runners-crossrefs.md new file mode 100644 index 000000000000..02b11e529b27 --- /dev/null +++ b/data/reusables/actions/disable-selfhosted-runners-crossrefs.md @@ -0,0 +1 @@ +{% ifversion ghec or ghes %}Enterprise owners and organization {% elsif fpt %}Organization {% endif %}owners can disable the ability to create self-hosted runners at the repository level. For more information, see {% ifversion ghec or ghes %}"[AUTOTITLE](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#disabling-repository-level-self-hosted-runners)" and {% endif %}"[AUTOTITLE](/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#limiting-the-use-of-self-hosted-runners)." \ No newline at end of file diff --git a/data/reusables/actions/disable-selfhosted-runners-note.md b/data/reusables/actions/disable-selfhosted-runners-note.md new file mode 100644 index 000000000000..daa1f2d2c5bc --- /dev/null +++ b/data/reusables/actions/disable-selfhosted-runners-note.md @@ -0,0 +1,5 @@ +{% note %} + +**Note**: When creation of repository-level self-hosted runners is disabled, workflows can still access self-hosted runners that have been set up at the enterprise or organization level. + +{% endnote %} \ No newline at end of file diff --git a/data/reusables/actions/disable-selfhosted-runners-overview.md b/data/reusables/actions/disable-selfhosted-runners-overview.md new file mode 100644 index 000000000000..675337292b5a --- /dev/null +++ b/data/reusables/actions/disable-selfhosted-runners-overview.md @@ -0,0 +1,5 @@ +There is no guarantee that self-hosted runners for {% data variables.product.product_name %} will be hosted on ephemeral, clean virtual machines. As a result, they may be compromised by untrusted code in a workflow. + +Similarly, anyone who can fork the repository and open a pull request (generally those with read access to the repository) can compromise the self-hosted runner environment, including gaining access to secrets and the `GITHUB_TOKEN` which, depending on its settings, can grant write access to the repository. Although workflows can control access to environment secrets by using environments and required reviews, these workflows are not run in an isolated environment and are still susceptible to the same risks when run on a self-hosted runner. + +For these and other reasons, you may decide to prevent people creating self-hosted runners at the repository level. \ No newline at end of file diff --git a/data/reusables/enterprise/view-user-namespace-repos.md b/data/reusables/enterprise/view-user-namespace-repos.md new file mode 100644 index 000000000000..5399da7c9f70 --- /dev/null +++ b/data/reusables/enterprise/view-user-namespace-repos.md @@ -0,0 +1,3 @@ +1. In the "Repository creation" section, under "Block the creation of user namespace repositories," click **View user namespace repositories in your enterprise**. + + ![Screenshot of the "Repository creation" section of the "Repository policies" page. A link, labeled with an eye icon and "View user namespace repositories in your enterprise," is outlined in orange.](/assets/images/help/business-accounts/view-user-namespace-repos.png) \ No newline at end of file