1. A platform engineering team manages a self-hosted runner fleet for multiple organizations within a GitHub Enterprise. They want a subset of high-memory runners to be accessible only to the `data-engineering` and `ml-platform` organizations, while remaining hidden from all other organizations. What is the correct approach?
- A. Add the high-memory runners to the default runner group, then use runner labels to restrict access within workflows
- B. Create a runner group at the enterprise level, assign the high-memory runners to it, and set the group's organization access to only `data-engineering` and `ml-platform`✓ Correct
- C. Create a separate runner group in each of the two organizations and register the same physical runners in both groups simultaneously
- D. Set a custom label (e.g., `high-memory`) on the runners and document that only `data-engineering` and `ml-platform` should use that label in their `runs-on` key
Explanation
Option B is correct because enterprise-level runner groups are specifically designed to control which organizations can access a given set of runners. By creating an enterprise runner group and limiting its access to only the two specified organizations, the runners are invisible and inaccessible to all other organizations. Option A is wrong because the default runner group is accessible to all organizations by default, and runner labels alone do not enforce access control—any org could still reference the label. Option C is wrong because a self-hosted runner can only be registered in one location at a time; registering the same runner in two org-level groups simultaneously is not supported. Option D is wrong because labels are a targeting mechanism, not an access-control mechanism; any organization with access to the runner could use the label.