github
Improve Workflow Runner Group Documentation
Code of Conduct
- [x] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
What part(s) of the article would you like to see updated?
- There is a gap in the documentation around Runner Groups, specifically around workflow restrictions.
- Upon testing myself, I found if you restrict a runner group to a workflow and then call that workflow in a different repo, then the runner group is available/works for only the portion where you called the approved workflow
- This has big security hardening implications. Enabling workflows to be shared across an organization, while ensuring that only code you trust always runs on your shared self-hosted runners in a group
- Only mention I could find of this is this brief blog post without any mention in the actual documentation: https://github.blog/changelog/2022-03-21-github-actions-restrict-self-hosted-runner-groups-to-specific-workflows/
- I think the first article should have more info on workflow restrictions and calling restricted workflows. The second article should include a recommendation for restricting workflows with runner groups and then calling those restricted workflows when sharing workflows across an org
Additional information
No response
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
As long as this isn't being done internally already, I'm happy to open a PR with my best attempt when I have time.
Thanks for opening an issue! Let me check into this to make sure there isn't some reason it's undocumented, and get back to you with what I find out.
@MaxHoecker I found out this actually is documented, it's just only documented for Enterprise versions. I'm trying to figure out why it's versioned just for that. It looks like you're working with an organization and it's behaving the same way for you?
Yes
On Mon, 30 Jun 2025, 9:39 pm Sharra-writes, @.***> wrote:
Sharra-writes left a comment (github/docs#38930) https://github.com/github/docs/issues/38930#issuecomment-3020616001
@MaxHoecker https://github.com/MaxHoecker I found out this actually is documented @.***/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-which-workflows-can-access-a-runner-group>, it's just only documented for Enterprise versions. I'm trying to figure out why it's versioned just for that. It looks like you're working with an organization and it's behaving the same way for you?
— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/38930#issuecomment-3020616001, or unsubscribe https://github.com/notifications/unsubscribe-auth/BQSCJQIWX2DL4PLCWRK67WT3GGOALAVCNFSM6AAAAAB7O5UN5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMRQGYYTMMBQGE . You are receiving this because you commented.Message ID: @.***>
Please fix it
On Mon, 30 Jun 2025, 9:57 pm EOND AKAK, @.***> wrote:
Yes
On Mon, 30 Jun 2025, 9:39 pm Sharra-writes, @.***> wrote:
Sharra-writes left a comment (github/docs#38930) https://github.com/github/docs/issues/38930#issuecomment-3020616001
@MaxHoecker https://github.com/MaxHoecker I found out this actually is documented @.***/actions/how-tos/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-which-workflows-can-access-a-runner-group>, it's just only documented for Enterprise versions. I'm trying to figure out why it's versioned just for that. It looks like you're working with an organization and it's behaving the same way for you?
— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/38930#issuecomment-3020616001, or unsubscribe https://github.com/notifications/unsubscribe-auth/BQSCJQIWX2DL4PLCWRK67WT3GGOALAVCNFSM6AAAAAB7O5UN5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMRQGYYTMMBQGE . You are receiving this because you commented.Message ID: @.***>
A stale label has been added to this issue, because it has been open for 30 days with no activity. If you think this issue should remain open, please add a new comment.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello @Sharra-writes, thanks for the response.
Sorry if it wasn't clear in my original message but the gap I'm talking about is specifically for restricting runner groups to reusable workflows. Unfortunately the link you sent is one I already had contained in my original message and the page doesn't document what I'm talking about. In the image I've attached, the left side of the dotted line is documented, but not the right.
The use-case being within an Organization I want to let other internal teams use a special runner group I manage which has elevated permissions to a resource, but I want to ensure that they can only use my runner group when using my reusable workflow I also manage.
@MaxHoecker Sorry if our SME misunderstood! I'll reopen this to see if I can get them to look at your clarification, and advise me on whether we do actually need to update the docs.
A stale label has been added to this issue, because it has been open for 30 days with no activity. If you think this issue should remain open, please add a new comment.