GitHub Actions workflow execution protections now in public preview
GitHub Actions workflow execution protections are now in public preview, allowing administrators to define allow lists for workflow triggers. This feature enhances security by preventing unauthorized users or events from initiating workflows, which could otherwise be exploited to run malicious code. Initially available for GitHub Enterprise, organizations, and repositories, it helps mitigate common attack patterns like poisoned pipeline execution and manual-trigger abuse.
- →Workflow execution protections introduced for GitHub Actions
- →Introduces Actor and Event rule types for workflow triggers
- →Integrates with GitHub rulesets for centralized policy management
- →Helps mitigate common attacker techniques
- →Includes an evaluate mode for policy rollout
Features (2) ›
- Workflow execution protections introduced for GitHub Actions
GitHub Actions workflow execution protections are now available in public preview for GitHub Enterprise, organizations, and repositories. This feature allows administrators to define an allow list that controls who can trigger workflows and which events are permitted, enhancing predictability and security.
- Introduces Actor and Event rule types for workflow triggers
The initial release includes two rule types: Actor rules, which control who can trigger workflows (users, roles, Apps, Dependabot), and Event rules, which specify permitted events like push or pull_request. Additional rule types will be added over time.
Enhancements (3) ›
- Integrates with GitHub rulesets for centralized policy management
Workflow execution protections leverage the GitHub rulesets framework, enabling administrators to apply protections across an enterprise with organization-wide rulesets or scope them to specific repositories. This allows for broad policy enforcement in a single location, rather than managing security per YAML file.
- Helps mitigate common attacker techniques
Workflow execution protections disrupt attack patterns such as poisoned pipeline execution from pull requests, manual-trigger abuse, untrusted-actor execution, and misconfiguration exploitation by allowing central policy application.
- Includes an evaluate mode for policy rollout
An evaluate mode is available for rulesets, allowing administrators to run policies in shadow mode to see what would be blocked before enforcing them. This helps prevent accidental breakage of existing workflows.
Notes (1) ›
- New 'Policies' section for workflow execution protections
Workflow execution protections can be found in the organization and repository settings under 'Actions', within a new 'Policies' section separate from existing 'General' Actions settings.
https://github.blog/changelog/2026-06-18-control-who-and-what-triggers-github-actions-workflows