[Sept 30] Update policy settings for actions (github#15701)

Co-authored-by: Rachael Sewell <[email protected]>

content/actions/reference/usage-limits-billing-and-administration.md

@@ -6,17 +6,23 @@ redirect_from:
   - /actions/getting-started-with-github-actions/usage-and-billing-information-for-github-actions
 versions:
   free-pro-team: '*'
+  enterprise-server: '>=2.22'
 ---
 
 {% data reusables.actions.enterprise-beta %}
 {% data reusables.actions.enterprise-github-hosted-runners %}
 
 ### About billing for {% data variables.product.prodname_actions %}
 
+{% if currentVersion == "free-pro-team@latest" %}
 {% data reusables.github-actions.actions-billing %} For more information, see "[About billing for {% data variables.product.prodname_actions %}](/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-github-actions)."
+{% else %}
+GitHub Actions usage is free for {% data variables.product.prodname_ghe_server %} that use self-hosted runners.
+{% endif %}
 
 ### Usage limits
 
+{% if currentVersion == "free-pro-team@latest" %}
 There are some limits on {% data variables.product.prodname_actions %} usage when using {% data variables.product.prodname_dotcom %}-hosted runners. These limits are subject to change.
 
 {% note %}
@@ -37,13 +43,21 @@ There are some limits on {% data variables.product.prodname_actions %} usage whe
   | Team | 60 | 5 |
   | Enterprise | 180 | 50 |
 - **Job matrix** - {% data reusables.github-actions.usage-matrix-limits %}
+{% else %}
+Usage limits apply to self-hosted runners. For more information, see "[About self-hosted runners](/actions/hosting-your-own-runners/about-self-hosted-runners/#usage-limits)."
+{% endif %}
 
+{% if currentVersion == "free-pro-team@latest" %}
 ### Usage policy
 
 In addition to the usage limits, you must ensure that you use {% data variables.product.prodname_actions %} within the [GitHub Terms of Service](/articles/github-terms-of-service/). For more information on {% data variables.product.prodname_actions %}-specific terms, see the [GitHub Additional Product Terms](/github/site-policy/github-additional-product-terms#a-actions-usage).
+{% endif %}
 
 ### Disabling or limiting {% data variables.product.prodname_actions %} for your repository or organization
 
 {% data reusables.github-actions.disabling-github-actions %}
 
-For more information, see "[Disabling or limiting {% data variables.product.prodname_actions %} for a repository](/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository)" or "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization)."
+For more information, see:
+- "[Disabling or limiting {% data variables.product.prodname_actions %} for a repository](/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository)"
+- "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization)"{% if currentVersion == "free-pro-team@latest" %}
+- "[Enforcing {% data variables.product.prodname_actions %} policies in your enterprise account](/github/setting-up-and-managing-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account)" for {% data variables.product.prodname_ghe_cloud %}{% endif %}

content/github/administering-a-repository/disabling-or-limiting-github-actions-for-a-repository.md

@@ -17,6 +17,8 @@ You can enable {% data variables.product.prodname_actions %} for your repository
 
 Alternatively, you can enable {% data variables.product.prodname_actions %} in your repository but limit the actions a workflow can run. {% data reusables.github-actions.enabled-local-github-actions %}
 
+{% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "[email protected]" %}
+
 ### Managing {% data variables.product.prodname_actions %} permissions for your repository
 
 {% note %}
@@ -31,6 +33,43 @@ Alternatively, you can enable {% data variables.product.prodname_actions %} in y
 4. Under "Actions permissions", select an option.
   ![Enable, disable, or limits actions for this repository](/assets/images/help/repository/enable-repo-actions.png)
 
+{% endif %}
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "[email protected]" %}
+
+### Managing {% data variables.product.prodname_actions %} permissions for your repository
+
+You can disable all workflows for a repository or set a policy that configures which actions can be used in a repository. 
+
+{% data reusables.actions.actions-use-policy-settings %}
+
+{% note %}
+
+**Note:** You might not be able to manage these settings if your organization has an overriding policy or is managed by an enterprise that has overriding policy. For more information, see "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization)" or {% if currentVersion == "free-pro-team@latest" %}"[Enforcing {% data variables.product.prodname_actions %} policies in your enterprise account](/github/setting-up-and-managing-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account)."{% else if currentVersion ver_gt "[email protected]" %}"[Enforcing {% data variables.product.prodname_actions %} policies for your enterprise](/enterprise/admin/github-actions/enforcing-github-actions-policies-for-your-enterprise)."
+
+{% endif %} 
+
+{% endnote %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.settings-sidebar-actions %}
+1. Under **Actions permissions**, select an option.
+  ![Set actions policy for this organization](/assets/images/help/repository/actions-policy.png)
+1. Click **Save**.
+
+### Allowing specific actions to run
+
+{% data reusables.actions.allow-specific-actions-intro %}
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.sidebar-settings %}
+{% data reusables.repositories.settings-sidebar-actions %}
+1. Under **Actions permissions**, select **Allow specific actions** and add your required actions to the list.
+  ![Add actions to allow list](/assets/images/help/repository/actions-policy-allow-list.png)
+2. Click **Save**.
+{% endif %}
+
 {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "[email protected]" %}
 ### Enabling workflows for private repository forks
 

content/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization.md

@@ -17,6 +17,8 @@ You can enable {% data variables.product.prodname_actions %} for all repositorie
 
 Alternatively, you can enable {% data variables.product.prodname_actions %} for all repositories in your organization but limit the actions a workflow can run. {% data reusables.github-actions.enabled-local-github-actions %}
 
+{% if currentVersion != "free-pro-team@latest" and currentVersion ver_lt "[email protected]" %}
+
 ### Managing {% data variables.product.prodname_actions %} permissions for your organization
 
 {% data reusables.profile.access_profile %}
@@ -27,6 +29,44 @@ Alternatively, you can enable {% data variables.product.prodname_actions %} for
   ![Enable, disable, or limit actions for this organization](/assets/images/help/repository/enable-org-actions.png)
 1. Click **Save**.
 
+{% endif %}
+
+{% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "[email protected]" %}
+
+### Managing {% data variables.product.prodname_actions %} permissions for your organization
+
+You can disable all workflows for an organization or set a policy that configures which actions can be used in an organization. 
+
+{% data reusables.actions.actions-use-policy-settings %}
+
+{% note %}
+
+**Note:** You might not be able to manage these settings if your organization is managed by an enterprise that has overriding policy. For more information, {% if currentVersion == "free-pro-team@latest" %}"[Enforcing {% data variables.product.prodname_actions %} policies in your enterprise account](/github/setting-up-and-managing-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account)."{% else %}"[Enforcing {% data variables.product.prodname_actions %} policies for your enterprise](/enterprise/admin/github-actions/enforcing-github-actions-policies-for-your-enterprise)."{% endif %}
+
+{% endnote %}
+
+{% data reusables.profile.access_profile %}
+{% data reusables.profile.access_org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.organizations.settings-sidebar-actions %}
+1. Under **Policies**, select an option.
+  ![Set actions policy for this organization](/assets/images/help/organizations/actions-policy.png)
+1. Click **Save**.
+
+### Allowing specific actions to run
+
+{% data reusables.actions.allow-specific-actions-intro %}
+
+{% data reusables.profile.access_profile %}
+{% data reusables.profile.access_org %}
+{% data reusables.organizations.org_settings %}
+{% data reusables.organizations.settings-sidebar-actions %}
+1. Under **Policies**, select **Allow specific actions** and add your required actions to the list.
+  ![Add actions to allow list](/assets/images/help/organizations/actions-policy-allow-list.png)
+1. Click **Save**.
+
+{% endif %}
+
 {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "[email protected]" %}
 ### Enabling workflows for private repository forks
 

content/github/setting-up-and-managing-your-enterprise-account/enforcing-github-actions-policies-in-your-enterprise-account.md

@@ -13,13 +13,27 @@ By default, {% data variables.product.prodname_actions %} is enabled in all orga
 
 For more information about {% data variables.product.prodname_actions %}, see "[About {% data variables.product.prodname_actions %}](/actions/getting-started-with-github-actions/about-github-actions)."
 
-
 ### Managing {% data variables.product.prodname_actions %} permissions for your enterprise account
 
+You can disable all workflows for an enterprise or set a policy that configures which actions can be used in an organization. 
+
+{% data reusables.actions.actions-use-policy-settings %}
+
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
 {% data reusables.enterprise-accounts.actions-tab %}
 {% data reusables.actions.enterprise-actions-permissions %}
+1. Click **Save**.
+
+### Allowing specific actions to run
+
+{% data reusables.actions.allow-specific-actions-intro %}
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.policies-tab %}
+{% data reusables.enterprise-accounts.actions-tab %}
+1. Under **Policies**, select **Allow specific actions** and add your required actions to the list.
+  ![Add actions to allow list](/assets/images/help/organizations/enterprise-actions-policy-allow-list.png)
 
 ### Enabling workflows for private repository forks
 

data/reusables/actions/actions-use-policy-settings.md

@@ -0,0 +1,3 @@
+If you choose the option to **Allow specific actions**, there are additional options that you can configure. For more information, see "[Allowing specific actions to run](#allowing-specific-actions-to-run)."
+
+When you allow local actions only, the policy blocks all access to actions authored by {% data variables.product.prodname_dotcom %}. For example, the [`actions/checkout`](https://github.com/actions/checkout) would not be accessible.

data/reusables/actions/allow-specific-actions-intro.md

@@ -0,0 +1,19 @@
+When you select the **Allow select actions**, there are additional options that you need to choose to configure the allowed actions:
+
+- **Allow actions created by {% data variables.product.prodname_dotcom %}:** You can allow all actions created by {% data variables.product.prodname_dotcom %} to be used by workflows. Actions created by {% data variables.product.prodname_dotcom %} are located in the `actions` and `github` organization. For more information, see the [`actions`](https://github.com/actions) and [`github`](https://github.com/github) organizations.
+- **Allow verified actions from the Marketplace:** You can allow all verified actions in {% data variables.product.prodname_marketplace %} to be used by workflows. When GitHub has verified the creator of the action as a partner organization, the {% octicon "verified" aria-label="The verified badge" %} badge is displayed next to the action in {% data variables.product.prodname_marketplace %}.
+- **Allow specified actions:** You can restrict workflows to use actions in specific organizations and repositories.
+
+  To restrict access to specific tags or commit SHAs of an action, use the same `<OWNER>/<REPO>@<TAG OR SHA>` syntax used in the workflow to select the action. For example, `actions/[email protected]` to select a tag or `actions/javascript-action@172239021f7ba04fe7327647b213799853a9eb89` to select a SHA. For more information, see "[Finding and customizing actions](/actions/learn-github-actions/finding-and-customizing-actions#using-release-management-for-your-custom-actions)."
+
+  You can use the `*` wildcard character to match patterns. For example, to allow all actions in organizations that start with `space-org`, you can specify `space-org*/*`. To add all actions in repositories that start with octocat, you can use `*/octocat*@*`. For more information about using the `*` wildcard, see "[Workflow syntax for GitHub Actions](/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet)." 
+
+  {% if currentVersion == "free-pro-team@latest" %}
+  {% note %}
+
+  **Note:** The **Allow specified actions** option is only available in public repositories with the {% data variables.product.prodname_free_user %}, {% data variables.product.prodname_pro %}, {% data variables.product.prodname_free_team %} for organizations, or {% data variables.product.prodname_team %} plan.
+
+  {% endnote %}
+  {% endif %}
+
+This procedure demonstrates how to add specific actions to the allow list.

data/reusables/actions/enterprise-actions-permissions.md

@@ -1,2 +1,2 @@
 1. Under "Policies", select an option.
-  ![Enable, disable, or limits actions for this enterprise account](/assets/images/help/settings/actions-enable-enterprise-account.png)
+  ![Enable, disable, or limits actions for this enterprise account](/assets/images/help/organizations/enterprise-actions-policy.png)