Security & DevOps

GitHub Actions Enforces Strict 2FA for Self-Hosted Runners

Published July 2, 2026 by Dillip Chowdary

In a major move to secure the software supply chain, GitHub has announced that all self-hosted runners in GitHub Actions must now comply with mandatory two-factor authentication (2FA) for the administrative accounts managing them, alongside strict cryptographic key rotation policies.

Self-hosted runners have increasingly become a prime target for attackers. Unlike GitHub-hosted runners, which are ephemeral and destroyed after every job, self-hosted environments are often persistent and run directly within a company's internal network. A compromised runner can give attackers persistent backdoor access to private code, production secrets, and deployment pipelines.

To mitigate this, GitHub's new policy requires the use of short-lived registration tokens that automatically expire, and forces regular rotation of the underlying communication keys between the runner agent (v3.25+) and GitHub's servers. Administrators will receive automated alerts if a runner fails to rotate its keys within the required 30-day window.

Furthermore, any user attempting to register, modify, or delete a self-hosted runner at the organization or repository level will be prompted for an active 2FA challenge, even if they have an active session. This "step-up" authentication ensures that compromised session cookies cannot be used to hijack CI/CD infrastructure.

Action Item

Check your self-hosted Actions runners immediately. Ensure they are running the latest agent version (v3.25+) to support automated key rotation, and verify that all organization admins have hardware-backed 2FA enabled.

Tool Spotlight: CodeReviewAI

Automate your security reviews in GitHub Actions to catch vulnerabilities before they merge.

Check it out →

Source

Read the source update ->