Skip to content

Repo sync #43336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
docs-bot merged 2 commits into from
Mar 12, 2026
+10 −1
Merged

Repo sync #43336

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
966392e
update security guide for custom image (#60174)
ShenChen93 Mar 12, 2026
dae40e1
Add note on enterprise dedicated domain selection to note ghe domain …
DamienButler Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,3 +159,11 @@ Once your custom image is ready, you can install it on a new {% data variables.a
```

1. Run your workflow to verify that it completes successfully. The job logs will show the image name and version in the "Set up job" section.

## Security best practices for custom images

To prevent unauthorized changes to your images, follow these best practices.

* **Use dedicated runner groups for image generation.** Runners that generate production images must remain in a dedicated runner group. Do not share runner groups between production and development or test repositories, as anyone with access to a development or test repository could inject malicious code into a production image.
* **Do not allow public repositories to access image-generation runners.** Limit the repositories that can use image-generation runners to only those that require it, and review access regularly.
* **Apply least privilege to repositories.** Avoid granting organization-wide `write` access for repositories that have access to image-generation runners. Because images can be generated from any branch, anyone with write access could create a branch with arbitrary code and trigger image generation.
3 changes: 2 additions & 1 deletion ...ta-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,9 @@ To get started with {% data variables.enterprise.data_residency_short %}, you wi
1. Select **Get started with managed users**.
1. Under "Data hosting", use the dropdown menu to select your region for {% data variables.enterprise.data_residency_short %}.
1. Complete the signup form. Pay close attention to the following fields:

* **Subdomain**: This will appear in your enterprise's dedicated domain. For example: `{% data variables.enterprise.data_residency_example_domain %}`.
> [!NOTE]
> Please select the subdomain carefully. You cannot change it later.
* **Identity Provider**: {% data variables.product.github %} partners with certain identity providers to provide a "paved-path" experience. Check whether your identity provider is a partner and ensure you understand the requirements for other systems. See [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems).
* **Admin work email**: This is where you will receive the invitation to sign in and configure the enterprise for the first time.

Expand Down
Loading