Security & DevOps
GitHub Actions Enforces Strict 2FA for Self-Hosted Runners
Published July 2, 2026 by Dillip Chowdary
In a major move to secure the software supply chain, GitHub has announced that all self-hosted runners in GitHub Actions must now comply with mandatory two-factor authentication (2FA) for the administrative accounts managing them, alongside strict cryptographic key rotation policies.
Self-hosted runners have increasingly become a prime target for attackers. Unlike GitHub-hosted runners, which are ephemeral and destroyed after every job, self-hosted environments are often persistent and run directly within a company's internal network. A compromised runner can give attackers persistent backdoor access to private code, production secrets, and deployment pipelines.
To mitigate this, GitHub's new policy requires the use of short-lived registration tokens that automatically expire, and forces regular rotation of the underlying communication keys between the runner agent (v3.25+) and GitHub's servers. Administrators will receive automated alerts if a runner fails to rotate its keys within the required 30-day window.
Furthermore, any user attempting to register, modify, or delete a self-hosted runner at the organization or repository level will be prompted for an active 2FA challenge, even if they have an active session. This "step-up" authentication ensures that compromised session cookies cannot be used to hijack CI/CD infrastructure.
Action Item
Check your self-hosted Actions runners immediately. Ensure they are running the latest agent version (v3.25+) to support automated key rotation, and verify that all organization admins have hardware-backed 2FA enabled.
Tool Spotlight: CodeReviewAI
Automate your security reviews in GitHub Actions to catch vulnerabilities before they merge.