REST API endpoints for GitHub Actions permissions
Use the REST API to interact with permissions for GitHub Actions.
About permissions for GitHub Actions
You can use the REST API to set permissions for the organizations and repositories that are allowed to run GitHub Actions, and the actions and reusable workflows that are allowed to run. For more information, see "Usage limits, billing, and administration."
Get GitHub Actions permissions for an organization
Gets the GitHub Actions permissions policy for repositories and allowed actions and reusable workflows in an organization.
OAuth tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Get GitHub Actions permissions for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (read)
Parameters for "Get GitHub Actions permissions for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
HTTP response status codes for "Get GitHub Actions permissions for an organization"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get GitHub Actions permissions for an organization"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions
Response
Status: 200
{
"enabled_repositories": "all",
"allowed_actions": "selected",
"selected_actions_url": "https://api.github.com/organizations/42/actions/permissions/selected-actions"
}
Set GitHub Actions permissions for an organization
Sets the GitHub Actions permissions policy for repositories and allowed actions and reusable workflows in an organization.
OAuth app tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Set GitHub Actions permissions for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write)
Parameters for "Set GitHub Actions permissions for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
enabled_repositories string RequiredThe policy that controls the repositories in the organization that are allowed to run GitHub Actions. Can be one of: |
allowed_actions string The permissions policy that controls the actions and reusable workflows that are allowed to run. Can be one of: |
HTTP response status codes for "Set GitHub Actions permissions for an organization"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set GitHub Actions permissions for an organization"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions \
-d '{"enabled_repositories":"all","allowed_actions":"selected"}'
Response
Status: 204
List selected repositories enabled for GitHub Actions in an organization
Lists the selected repositories that are enabled for GitHub Actions in an organization. To use this endpoint, the organization permission policy for enabled_repositories
must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth app tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "List selected repositories enabled for GitHub Actions in an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (read)
Parameters for "List selected repositories enabled for GitHub Actions in an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: |
page integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: |
HTTP response status codes for "List selected repositories enabled for GitHub Actions in an organization"
Status code | Description |
---|---|
200 | OK |
Code samples for "List selected repositories enabled for GitHub Actions in an organization"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/repositories
Response
Status: 200
{
"total_count": 1,
"repositories": [
{
"id": 1296269,
"node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
"name": "Hello-World",
"full_name": "octocat/Hello-World",
"owner": {
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false
},
"private": false,
"html_url": "https://github.com/octocat/Hello-World",
"description": "This your first repo!",
"fork": false,
"url": "https://api.github.com/repos/octocat/Hello-World",
"archive_url": "https://api.github.com/repos/octocat/Hello-World/{archive_format}{/ref}",
"assignees_url": "https://api.github.com/repos/octocat/Hello-World/assignees{/user}",
"blobs_url": "https://api.github.com/repos/octocat/Hello-World/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/octocat/Hello-World/branches{/branch}",
"collaborators_url": "https://api.github.com/repos/octocat/Hello-World/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/octocat/Hello-World/comments{/number}",
"commits_url": "https://api.github.com/repos/octocat/Hello-World/commits{/sha}",
"compare_url": "https://api.github.com/repos/octocat/Hello-World/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/octocat/Hello-World/contents/{+path}",
"contributors_url": "https://api.github.com/repos/octocat/Hello-World/contributors",
"deployments_url": "https://api.github.com/repos/octocat/Hello-World/deployments",
"downloads_url": "https://api.github.com/repos/octocat/Hello-World/downloads",
"events_url": "https://api.github.com/repos/octocat/Hello-World/events",
"forks_url": "https://api.github.com/repos/octocat/Hello-World/forks",
"git_commits_url": "https://api.github.com/repos/octocat/Hello-World/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/octocat/Hello-World/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/octocat/Hello-World/git/tags{/sha}",
"git_url": "git:github.com/octocat/Hello-World.git",
"issue_comment_url": "https://api.github.com/repos/octocat/Hello-World/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/octocat/Hello-World/issues/events{/number}",
"issues_url": "https://api.github.com/repos/octocat/Hello-World/issues{/number}",
"keys_url": "https://api.github.com/repos/octocat/Hello-World/keys{/key_id}",
"labels_url": "https://api.github.com/repos/octocat/Hello-World/labels{/name}",
"languages_url": "https://api.github.com/repos/octocat/Hello-World/languages",
"merges_url": "https://api.github.com/repos/octocat/Hello-World/merges",
"milestones_url": "https://api.github.com/repos/octocat/Hello-World/milestones{/number}",
"notifications_url": "https://api.github.com/repos/octocat/Hello-World/notifications{?since,all,participating}",
"pulls_url": "https://api.github.com/repos/octocat/Hello-World/pulls{/number}",
"releases_url": "https://api.github.com/repos/octocat/Hello-World/releases{/id}",
"ssh_url": "[email protected]:octocat/Hello-World.git",
"stargazers_url": "https://api.github.com/repos/octocat/Hello-World/stargazers",
"statuses_url": "https://api.github.com/repos/octocat/Hello-World/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/octocat/Hello-World/subscribers",
"subscription_url": "https://api.github.com/repos/octocat/Hello-World/subscription",
"tags_url": "https://api.github.com/repos/octocat/Hello-World/tags",
"teams_url": "https://api.github.com/repos/octocat/Hello-World/teams",
"trees_url": "https://api.github.com/repos/octocat/Hello-World/git/trees{/sha}",
"clone_url": "https://github.com/octocat/Hello-World.git",
"mirror_url": "git:git.example.com/octocat/Hello-World",
"hooks_url": "https://api.github.com/repos/octocat/Hello-World/hooks",
"svn_url": "https://svn.github.com/octocat/Hello-World",
"homepage": "https://github.com",
"language": null,
"forks_count": 9,
"stargazers_count": 80,
"watchers_count": 80,
"size": 108,
"default_branch": "master",
"open_issues_count": 0,
"is_template": true,
"topics": [
"octocat",
"atom",
"electron",
"api"
],
"has_issues": true,
"has_projects": true,
"has_wiki": true,
"has_pages": false,
"has_downloads": true,
"archived": false,
"disabled": false,
"visibility": "public",
"pushed_at": "2011-01-26T19:06:43Z",
"created_at": "2011-01-26T19:01:12Z",
"updated_at": "2011-01-26T19:14:43Z",
"permissions": {
"admin": false,
"push": false,
"pull": true
},
"allow_rebase_merge": true,
"template_repository": null,
"temp_clone_token": "ABTLWHOULUVAXGTRYU7OC2876QJ2O",
"allow_squash_merge": true,
"allow_auto_merge": false,
"delete_branch_on_merge": true,
"allow_merge_commit": true,
"subscribers_count": 42,
"network_count": 0,
"license": {
"key": "mit",
"name": "MIT License",
"url": "https://api.github.com/licenses/mit",
"spdx_id": "MIT",
"node_id": "MDc6TGljZW5zZW1pdA==",
"html_url": "https://github.com/licenses/mit"
},
"forks": 1,
"open_issues": 1,
"watchers": 1
}
]
}
Set selected repositories enabled for GitHub Actions in an organization
Replaces the list of selected repositories that are enabled for GitHub Actions in an organization. To use this endpoint, the organization permission policy for enabled_repositories
must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth app tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Set selected repositories enabled for GitHub Actions in an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write)
Parameters for "Set selected repositories enabled for GitHub Actions in an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
selected_repository_ids array of integers RequiredList of repository IDs to enable for GitHub Actions. |
HTTP response status codes for "Set selected repositories enabled for GitHub Actions in an organization"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set selected repositories enabled for GitHub Actions in an organization"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/repositories \
-d '{"selected_repository_ids":[32,42]}'
Response
Status: 204
Enable a selected repository for GitHub Actions in an organization
Adds a repository to the list of selected repositories that are enabled for GitHub Actions in an organization. To use this endpoint, the organization permission policy for enabled_repositories
must be must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Enable a selected repository for GitHub Actions in an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write) and "Metadata" repository permissions (read)
Parameters for "Enable a selected repository for GitHub Actions in an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
repository_id integer RequiredThe unique identifier of the repository. |
HTTP response status codes for "Enable a selected repository for GitHub Actions in an organization"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Enable a selected repository for GitHub Actions in an organization"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/repositories/REPOSITORY_ID
Response
Status: 204
Disable a selected repository for GitHub Actions in an organization
Removes a repository from the list of selected repositories that are enabled for GitHub Actions in an organization. To use this endpoint, the organization permission policy for enabled_repositories
must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Disable a selected repository for GitHub Actions in an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write) and "Metadata" repository permissions (read)
Parameters for "Disable a selected repository for GitHub Actions in an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
repository_id integer RequiredThe unique identifier of the repository. |
HTTP response status codes for "Disable a selected repository for GitHub Actions in an organization"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Disable a selected repository for GitHub Actions in an organization"
Request example
curl -L \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/repositories/REPOSITORY_ID
Response
Status: 204
Get allowed actions and reusable workflows for an organization
Gets the selected actions and reusable workflows that are allowed in an organization. To use this endpoint, the organization permission policy for allowed_actions
must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Get allowed actions and reusable workflows for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (read)
Parameters for "Get allowed actions and reusable workflows for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
HTTP response status codes for "Get allowed actions and reusable workflows for an organization"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get allowed actions and reusable workflows for an organization"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/selected-actions
Response
Status: 200
{
"github_owned_allowed": true,
"verified_allowed": false,
"patterns_allowed": [
"monalisa/octocat@*",
"docker/*"
]
}
Set allowed actions and reusable workflows for an organization
Sets the actions and reusable workflows that are allowed in an organization. To use this endpoint, the organization permission policy for allowed_actions
must be configured to selected
. For more information, see "Set GitHub Actions permissions for an organization."
OAuth app tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Set allowed actions and reusable workflows for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write)
Parameters for "Set allowed actions and reusable workflows for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
github_owned_allowed boolean Whether GitHub-owned actions are allowed. For example, this includes the actions in the |
verified_allowed boolean Whether actions from GitHub Marketplace verified creators are allowed. Set to |
patterns_allowed array of strings Specifies a list of string-matching patterns to allow specific action(s) and reusable workflow(s). Wildcards, tags, and SHAs are allowed. For example, Note
The |
HTTP response status codes for "Set allowed actions and reusable workflows for an organization"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set allowed actions and reusable workflows for an organization"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/selected-actions \
-d '{"github_owned_allowed":true,"verified_allowed":false,"patterns_allowed":["monalisa/octocat@*","docker/*"]}'
Response
Status: 204
Get default workflow permissions for an organization
Gets the default workflow permissions granted to the GITHUB_TOKEN
when running workflows in an organization,
as well as whether GitHub Actions can submit approving pull request reviews. For more information, see
"Setting the permissions of the GITHUB_TOKEN for your organization."
OAuth tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Get default workflow permissions for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (read)
Parameters for "Get default workflow permissions for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
HTTP response status codes for "Get default workflow permissions for an organization"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get default workflow permissions for an organization"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/workflow
Give read-only permission, and allow approving PRs.
Status: 200
{
"default_workflow_permissions": "read",
"can_approve_pull_request_reviews": true
}
Set default workflow permissions for an organization
Sets the default workflow permissions granted to the GITHUB_TOKEN
when running workflows in an organization, and sets if GitHub Actions
can submit approving pull request reviews. For more information, see
"Setting the permissions of the GITHUB_TOKEN for your organization."
OAuth app tokens and personal access tokens (classic) need the admin:org
scope to use this endpoint.
Fine-grained access tokens for "Set default workflow permissions for an organization"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" organization permissions (write)
Parameters for "Set default workflow permissions for an organization"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
org string RequiredThe organization name. The name is not case sensitive. |
Name, Type, Description |
---|
default_workflow_permissions string The default workflow permissions granted to the GITHUB_TOKEN when running workflows. Can be one of: |
can_approve_pull_request_reviews boolean Whether GitHub Actions can approve pull requests. Enabling this can be a security risk. |
HTTP response status codes for "Set default workflow permissions for an organization"
Status code | Description |
---|---|
204 | Success response |
Code samples for "Set default workflow permissions for an organization"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/ORG/actions/permissions/workflow \
-d '{"default_workflow_permissions":"read","can_approve_pull_request_reviews":true}'
Success response
Status: 204
Get GitHub Actions permissions for a repository
Gets the GitHub Actions permissions policy for a repository, including whether GitHub Actions is enabled and the actions and reusable workflows allowed to run in the repository.
OAuth tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Get GitHub Actions permissions for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (read)
Parameters for "Get GitHub Actions permissions for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
HTTP response status codes for "Get GitHub Actions permissions for a repository"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get GitHub Actions permissions for a repository"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions
Response
Status: 200
{
"enabled": true,
"allowed_actions": "selected",
"selected_actions_url": "https://api.github.com/repositories/42/actions/permissions/selected-actions"
}
Set GitHub Actions permissions for a repository
Sets the GitHub Actions permissions policy for enabling GitHub Actions and allowed actions and reusable workflows in the repository.
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Set GitHub Actions permissions for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Set GitHub Actions permissions for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
enabled boolean RequiredWhether GitHub Actions is enabled on the repository. |
allowed_actions string The permissions policy that controls the actions and reusable workflows that are allowed to run. Can be one of: |
HTTP response status codes for "Set GitHub Actions permissions for a repository"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set GitHub Actions permissions for a repository"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions \
-d '{"enabled":true,"allowed_actions":"selected"}'
Response
Status: 204
Get the level of access for workflows outside of the repository
Gets the level of access that workflows outside of the repository have to actions and reusable workflows in the repository. This endpoint only applies to private repositories. For more information, see "Allowing access to components in a private repository."
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Get the level of access for workflows outside of the repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (read)
Parameters for "Get the level of access for workflows outside of the repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
HTTP response status codes for "Get the level of access for workflows outside of the repository"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get the level of access for workflows outside of the repository"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/access
Response
Status: 200
{
"access_level": "organization"
}
Set the level of access for workflows outside of the repository
Sets the level of access that workflows outside of the repository have to actions and reusable workflows in the repository. This endpoint only applies to private repositories. For more information, see "Allowing access to components in a private repository".
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Set the level of access for workflows outside of the repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Set the level of access for workflows outside of the repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
access_level string RequiredDefines the level of access that workflows outside of the repository have to actions and reusable workflows within the repository.
Can be one of: |
HTTP response status codes for "Set the level of access for workflows outside of the repository"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set the level of access for workflows outside of the repository"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/access \
-d '{"access_level":"organization"}'
Response
Status: 204
Get allowed actions and reusable workflows for a repository
Gets the settings for selected actions and reusable workflows that are allowed in a repository. To use this endpoint, the repository policy for allowed_actions
must be configured to selected
. For more information, see "Set GitHub Actions permissions for a repository."
OAuth tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Get allowed actions and reusable workflows for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (read)
Parameters for "Get allowed actions and reusable workflows for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
HTTP response status codes for "Get allowed actions and reusable workflows for a repository"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get allowed actions and reusable workflows for a repository"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/selected-actions
Response
Status: 200
{
"github_owned_allowed": true,
"verified_allowed": false,
"patterns_allowed": [
"monalisa/octocat@*",
"docker/*"
]
}
Set allowed actions and reusable workflows for a repository
Sets the actions and reusable workflows that are allowed in a repository. To use this endpoint, the repository permission policy for allowed_actions
must be configured to selected
. For more information, see "Set GitHub Actions permissions for a repository."
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Set allowed actions and reusable workflows for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Set allowed actions and reusable workflows for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
github_owned_allowed boolean Whether GitHub-owned actions are allowed. For example, this includes the actions in the |
verified_allowed boolean Whether actions from GitHub Marketplace verified creators are allowed. Set to |
patterns_allowed array of strings Specifies a list of string-matching patterns to allow specific action(s) and reusable workflow(s). Wildcards, tags, and SHAs are allowed. For example, Note
The |
HTTP response status codes for "Set allowed actions and reusable workflows for a repository"
Status code | Description |
---|---|
204 | No Content |
Code samples for "Set allowed actions and reusable workflows for a repository"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/selected-actions \
-d '{"github_owned_allowed":true,"verified_allowed":false,"patterns_allowed":["monalisa/octocat@*","docker/*"]}'
Response
Status: 204
Get default workflow permissions for a repository
Gets the default workflow permissions granted to the GITHUB_TOKEN
when running workflows in a repository,
as well as if GitHub Actions can submit approving pull request reviews.
For more information, see "Setting the permissions of the GITHUB_TOKEN for your repository."
OAuth tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Get default workflow permissions for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (read)
Parameters for "Get default workflow permissions for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
HTTP response status codes for "Get default workflow permissions for a repository"
Status code | Description |
---|---|
200 | OK |
Code samples for "Get default workflow permissions for a repository"
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/workflow
Give read-only permission, and allow approving PRs.
Status: 200
{
"default_workflow_permissions": "read",
"can_approve_pull_request_reviews": true
}
Set default workflow permissions for a repository
Sets the default workflow permissions granted to the GITHUB_TOKEN
when running workflows in a repository, and sets if GitHub Actions
can submit approving pull request reviews.
For more information, see "Setting the permissions of the GITHUB_TOKEN for your repository."
OAuth app tokens and personal access tokens (classic) need the repo
scope to use this endpoint.
Fine-grained access tokens for "Set default workflow permissions for a repository"
This endpoint works with the following fine-grained token types:
- GitHub App user access tokens
- GitHub App installation access tokens
- Fine-grained personal access tokens
The fine-grained token must have the following permission set:
- "Administration" repository permissions (write)
Parameters for "Set default workflow permissions for a repository"
Name, Type, Description |
---|
accept string Setting to |
Name, Type, Description |
---|
owner string RequiredThe account owner of the repository. The name is not case sensitive. |
repo string RequiredThe name of the repository without the |
Name, Type, Description |
---|
default_workflow_permissions string The default workflow permissions granted to the GITHUB_TOKEN when running workflows. Can be one of: |
can_approve_pull_request_reviews boolean Whether GitHub Actions can approve pull requests. Enabling this can be a security risk. |
HTTP response status codes for "Set default workflow permissions for a repository"
Status code | Description |
---|---|
204 | Success response |
409 | Conflict response when changing a setting is prevented by the owning organization |
Code samples for "Set default workflow permissions for a repository"
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/OWNER/REPO/actions/permissions/workflow \
-d '{"default_workflow_permissions":"read","can_approve_pull_request_reviews":true}'
Success response
Status: 204