How do runner groups interact with GitHub Environment protection rules?

Runner groups work alongside environment protections by ensuring that even if a workflow targets a production environment, it can only execute on runners within a specific, restricted group that requires manual approval for access.

How do I restrict access to high-cost resources like GPUs?

You can create a workload-based runner group (e.g., gpu-runners) and configure repository access permissions so that only specific, authorized machine learning repositories can utilize those expensive resources.

Is it safe to use self-hosted runners for public repositories?

Generally, no. Best practice dictates avoiding self-hosted runners for public repositories because external contributors can submit pull requests with malicious workflows that execute on your internal infrastructure.

Why should I use runner groups instead of a single default group?

Using a single group allows any repository in your organization to access any runner. Runner groups create critical security boundaries, preventing a compromised low-trust repository from executing code on high-trust production runners.

Runner Group Management

Name: Runner Group Management
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

安全与测试

Implements strategic organization and security boundaries for GitHub Actions self-hosted runners to prevent lateral movement and repository compromise.

This skill provides domain-specific guidance for architecting GitHub Actions runner groups based on trust levels, workload requirements, and compliance needs. It helps DevOps engineers and security teams move away from vulnerable 'all-access' runner configurations toward a secure-by-default model, ensuring that sensitive production environments and high-cost resources are strictly isolated. By applying techniques for environment protection and network segmentation, users can significantly reduce the blast radius of potential repository compromises while optimizing resource allocation.

主要功能

01Risk mitigation patterns to prevent unauthorized lateral movement

02Workload isolation strategies for high-resource tasks like GPU and heavy builds

03Compliance-specific configurations for PCI-DSS, HIPAA, and FedRAMP

04Environment-based controls using protection rules and manual approvals

05Trust-level organization for public, internal, and private repositories

060 GitHub stars

使用场景

01Segregating production deployment runners from development and testing environments

02Implementing regulatory-compliant runner groups with enhanced audit logging and network isolation

03Isolating high-cost GPU resources to prevent unauthorized usage in general CI/CD

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills runner-group-management

For use in Claude.ai and ChatGPT

Download Skill