What Is a Runner Group?
A runner group is a logical grouping of self-hosted or managed runners with access policies attached to it. The group controls which repositories, organizations, or workflows are allowed to send jobs to those runners. It is the primary way to isolate sensitive runners from untrusted code.
Why it matters
Without grouping, any repo in an org might land jobs on a runner with production network access. Runner groups let you fence high-privilege runners to specific repositories, enforcing least privilege at the fleet level. Managed platforms map groups to tiers so cost and access policy travel together.
Related concepts
- Restricts which repos can use a set of runners
- Pairs with runner labels for routing within a group
- Supports least-privilege isolation of sensitive runners
Related guides
What Is a Runner Label?A runner label is a tag attached to a CI runner that a job uses to target the right machine, such as its OS,…
What Is the Principle of Least Privilege?Least privilege means granting every user, job, or token only the minimum permissions needed to do its task a…
What Is a Managed Runner?A managed runner is CI compute operated by a third party that handles provisioning, scaling, isolation, and m…