Skip to content
Latchkey

GitHub Actions org allowlist blocks a third-party action

Organization actions policy can restrict which actions run - GitHub-authored only, verified creators, or a specific allowlist. A uses step referencing a non-allowed third-party action is blocked before the job runs.

What this error means

A workflow fails because a referenced action is not in the organization’s allowed-actions list.

github-actions
Error: some-org/some-action@v3 is not allowed by the organization's actions policy.
This action is not in the list of allowed actions for the organization.

Common causes

Org policy restricts allowed actions

The org limits actions to specific publishers or an explicit allowlist.

Action not added to the allowlist

A new third-party action must be explicitly permitted to run.

How to fix it

Add the action to the org allowlist

  1. An org admin opens Settings > Actions > General > Allowed actions.
  2. Add the specific action (with version pattern) to the allowlist.

Use an allowed equivalent or vendor the action

  1. Replace the blocked action with a GitHub- or verified-creator action that is permitted.
  2. Or fork/vendor the action into an allowed namespace.
.github/workflows/ci.yml
jobs:
  build:
    steps:
      - uses: actions/checkout@v4

How to prevent it

  • Know your org actions policy before adding third-party actions.
  • Request allowlist additions through your org admins ahead of time.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →