Skip to content

Add recommendations for runner groups and labels#91

Open
konstruktoid wants to merge 15 commits into
github:mainfrom
konstruktoid:rungroup
Open

Add recommendations for runner groups and labels#91
konstruktoid wants to merge 15 commits into
github:mainfrom
konstruktoid:rungroup

Conversation

@konstruktoid

@konstruktoid konstruktoid commented May 22, 2026
edited
Loading

Copy link
Copy Markdown

This pull request makes several improvements to the documentation on securing GitHub Actions workflows. The most significant updates include adding new recommendations for segregating runners, enhancing repository ruleset guidance, and updating author attribution.

Enhancements to security recommendations:

  • Added a new recommendation to segregate runners by using organizational runner groups and labels to separate high-privilege from low-privilege runners, reducing the risk of unauthorized access to sensitive resources. [1] [2]
  • Expanded repository ruleset guidance by recommending the use of "Require workflows to pass before merging" to enforce organizational or enterprise-level workflow requirements prior to merging.

Documentation and metadata updates:

  • Updated the authors list in the document metadata to include Thomas Sjögren (konstruktoid).

@konstruktoid
Add recommendation regarding runner groups and labels
c8a8f40 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 22, 2026 16:03
@konstruktoid konstruktoid requested review from a team as code owners May 22, 2026 16:03
Copilot AI reviewed May 22, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the “Securing GitHub Actions Workflows” guidance by adding runner-segregation recommendations and expanding ruleset guidance, while marking the page as draft.

Changes:

  • Set the page to draft: true and added an additional author.
  • Added “Segregate runners” as a top-level recommendation and a dedicated section with implementation details.
  • Added a repository ruleset recommendation to require workflows to pass before merging.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
@konstruktoid
adjust to documentation terminology
b974622 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid
split into shorter sentences
72c1fa7 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Copilot AI mentioned this pull request May 27, 2026
Draft
@konstruktoid
set draft: false
d0109d7 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
tspascoal
tspascoal reviewed May 27, 2026
View reviewed changes
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security.md

Use [runner groups](https://docs.github.com/en/actions/concepts/runners/runner-groups) and [labels](https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/apply-labels) to separate high-privilege runners from low-privilege runners. High-privilege runners may have access to sensitive resources or direct host access, while low-privilege runners should not.

This separation provides more granular control over [which repositories can access different runners](https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/manage-access#changing-which-repositories-can-access-a-runner-group) and which [jobs can access specific runners](https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job). It also reduces the risk that a compromised or misconfigured workflow could gain access to sensitive resources.

@tspascoal tspascoal May 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify the "which jobs can access specific runners" ? this cannot be enforced once a repo has access to a given runner (you can restrict which workflows can use the runner but not the jobs) any job can use it.

Unless you restrict the workflows that can access a runner if a user can author workflows in a repo which has access to the runner it can use it.

@konstruktoid konstruktoid May 27, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, it's actually workflows but https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#choosing-self-hosted-runners says "To specify a self-hosted runner for your job, configure runs-on in your workflow file with self-hosted runner labels." and "When you combine groups and labels, the runner must meet both requirements to be eligible to run the job." (https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners/use-in-a-workflow#using-labels-and-groups-to-route-jobs).

Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
@konstruktoid
replace and with or
2a3e165 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
kenmuse
kenmuse reviewed May 27, 2026
View reviewed changes
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
Comment thread content/library/application-security/recommendations/actions-security/index.md Outdated
konstruktoid and others added 5 commits May 27, 2026 16:29
@konstruktoid @kenmuse
Update content/library/application-security/recommendations/actions-s…
114a9e6 
…ecurity/index.md

Co-authored-by: Ken Muse <kenmuse@users.noreply.github.com>
@konstruktoid
rewording regarding secrets
1c1845d 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid
reword secret access
ed08520 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid
just mention sensitive resources
7df4b2b 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid
Merge branch 'main' into rungroup
41456dd
@konstruktoid konstruktoid requested a review from Copilot June 16, 2026 14:42
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread content/library/application-security/recommendations/actions-security.md
well-architected-sync-bot Bot and others added 2 commits June 18, 2026 07:21
@well-architected-sync-bot @dkalmin @konstruktoid
Sync from inner source [auto] (github#108)
2e8b069 
* Sync from github/github-well-architected-internal (main)

Source Repository: github/github-well-architected-internal

Source Branch: main

Source SHA: 19df7eb80cb63be9f9f42048ccf315e876108117

* Fix PR HTML proofer by preprocessing content

---------

Co-authored-by: well-architected-sync-bot[bot] <235114805+well-architected-sync-bot[bot]@users.noreply.github.com>
Co-authored-by: David Kalmin <dkalmin@github.com>
@well-architected-sync-bot @konstruktoid
chore(repo): sync from inner source
1a338a1 
Sync from github/github-well-architected-internal (main)

Source Repository: github/github-well-architected-internal

Source Branch: main

Source SHA: ff52156188feebe7b601a566b5112519172b4714

Co-authored-by: well-architected-sync-bot[bot] <235114805+well-architected-sync-bot[bot]@users.noreply.github.com>
@konstruktoid
Merge branch 'main' into rungroup
dfc235f
@konstruktoid
clean up after failed web commit
7d7d25f 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
@konstruktoid
add bypass requests link and more web commit cleanup
5a3bfef 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kenmuse kenmuse kenmuse left review comments

@tspascoal tspascoal tspascoal left review comments

Copilot code review Copilot Copilot left review comments

@bot-digital-customer-success bot-digital-customer-success Awaiting requested review from bot-digital-customer-success

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@konstruktoid @kenmuse @tspascoal