How to Govern Usage

• Enforcing policies for GitHub Actions in your enterprise

Rulesets

Rulesets are the new and improved branch protection rules, and configurable at the organization level! Rulesets help you to control how people can interact with branches and tags in a repository.

You can grant bypass permission for individuals, teams, apps, or roles.

You can evaluate rulesets before you make them active and monitor the impact of the ruleset on your organization.

• Available rules for rulesets

Branch & Tag Rulesets

Branch rulesets allow you to control how people interact with branches.

One of the most powerful features of branch rulesets is the ability to require a workflow to pass before a pull request can be merged. This gives you the ability to enforce policies at the organization level.

Push Rulesets

You can create push rulesets to block pushes to private or internal repositories and those repository's entire fork network.

Some common use cases include:

1. Preventing anyone except from CI/CD admins from pushing to the .github/**/* directory.
2. Restricting the accidental push of files like .env or .pem. Similar to a gitignore file, you can use a push ruleset to block pushes of files with specific names or extensions but at the server level.
3. Prevent large files from being pushed to your repositories.
4. Restrict file path length.

• Push rulesets

Environment Protection Rules: Custom Gating

Environment protection rules allow you to protect a job from running. This is useful if you have a sensitive job that you'd like to put controls around.

Required reviewers

You can require a specific number of reviewers to approve a job before it can run.

Wait timer

You can delay a job for a specified amount of time. This is useful if you want to give people a chance to cancel a job.

Custom gating

There are existing deployment protection rules via GitHub Apps. You can also create your own custom deployment protection rules.

• Deployment protection rules
• Configuring custom deployment protection rules
• Creating custom deployment protection rules

Spending Limits and Budgets/Cost Centers

It's always a good idea to set spending limits to avoid accidents.

• Managing your spending limit for GitHub Actions

Actions Policies

Allow List for Marketplace Actions

You can allow only a specific list of actions to be used in your organization. This is useful if you want to prevent people from using actions that are not approved.

Wildcards are available and there are convenient toggles for github authored actions as well as actions created by verified creators.

• Allowing select actions and reusable workflows to run

Enable/Disable Actions

You can choose to disable GitHub Actions or limit it to actions and reusable workflows in your organization.

• Disabling or limiting GitHub Actions for your organization

Audit Log

Because of the enormous amount of events that can be generated by GitHub Actions, it is not always feasible to query the API for all events. Instead, you can stream the audit log to a SIEM or other log management solution.

• Streaming the audit log for your enterprise
• Audit log events for your enterprise

Status Checks

Status checks let you know if your commits meet the conditions set for the repository you're contributing to.

You can see the pending, passing, or failing state of status checks next to individual commits in your pull request.

A job that is skipped will report its status as "Success". It will not prevent a pull request from merging, even if it is a required check.

• About status checks