Skip to content

Actions

Actions enablement/policy and workflow permissions — three separate GitHub API endpoints. Every field is optional; a field left unset is left unmanaged, and an unmanaged field of a pair (e.g. enabled vs. allowed_actions, which share one endpoint) is written back with its live value on apply so the PUT doesn't clear it.

Field Type Default Notes
enabled bool unmanaged Whether Actions is enabled on the repo
allowed_actions all | local_only | selected unmanaged
selected_actions.github_owned_allowed bool true Requires allowed_actions: selected
selected_actions.verified_allowed bool false
selected_actions.patterns_allowed list[string] [] owner/repo patterns
default_workflow_permissions read | write unmanaged
can_approve_pull_request_reviews bool unmanaged "Allow GitHub Actions to create and approve pull requests"
actions:
  enabled: true
  allowed_actions: selected
  selected_actions:
    github_owned_allowed: true
    verified_allowed: true
    patterns_allowed: ["astral-sh/*"]
  default_workflow_permissions: read
  can_approve_pull_request_reviews: true

Setting selected_actions without also setting allowed_actions: selected is a config error rejected at load time, not a silently-ignored sub-config — GitHub rejects that combination too, but this fails fast instead.

default_workflow_permissions and can_approve_pull_request_reviews share the workflow-permissions endpoint the same way enabled/allowed_actions share the permissions endpoint, so the two behave as one pair for the write-back-unmanaged-fields rule above.