Enforcing forked pull request workflow policies from Organizations & Enterprise Cloud does not work

[ajschmidt8]

Select Topic Area

Bug

Body

The official GitHub documentation pages below indicate that Organization and Enterprise Cloud administrators should be able to enforce policies for running pull request workflows that originate from public forks:

• https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise
• https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks

In practice, these policies do not work as described.

When the policies are set to the strictest setting at the Organization level, individual repositories can still override this setting.

Similarly, when the policies are set to the strictest setting at the Enterprise Cloud level, individual Organizations can still override this setting.

This is a security issue that should be addressed.