Summary We request an enhancement to CircleCI’s access control mechanisms to ensure that workflows executing on specific runners (e.g., production, staging, or other critical environments) are explicitly linked to a CircleCI Context that enforces security policies. This will prevent unauthorized deployments across all environments. Problem Statement Currently, a job configured with a non-restricted context (e.g., staging) can still execute on a runner assigned to a restricted environment by specifying its resource_class. This means: A workflow without proper approval can inadvertently trigger deployments in restricted environments. Context restrictions do not prevent execution on a runner with elevated access. -While deployment failures may occur due to missing credentials or other access barriers, the ability to attempt unauthorized deployments remains a security risk. Proposed Solution CircleCI should implement a stricter enforcement mechanism that ensures: Runner-Level Context Enforcement: Runners designated for specific environments (e.g., production, staging) should be restricted to workflows explicitly using a designated CircleCI Context with appropriate access controls. Security Group Validation: Only users in an authorized security group (e.g., Environment-Deployers) should be able to trigger workflows that execute on restricted runners. Blocking Unauthorized Execution: If a job specifies a restricted runner but does not meet approval requirements, the workflow should fail early with a clear security violation message. Steps to Replicate Current Issue Configure a CircleCI job with a non-restricted context (e.g., staging). Set the job’s resource_class to a runner designated for a restricted environment. Push a commit to trigger the job in CircleCI. Observe that a deployment attempt occurs in the restricted environment despite lacking approval from the expected security group. Deployment may fail due to missing credentials, but unauthorized workflows still reach restricted environments. Expected Behavior If a job specifies a restricted runner, it should be required to use the appropriate CircleCI Context. Only authorized users in the relevant security group should be able to trigger workflows on such runners. Unauthorized workflows should be blocked before execution, preventing unauthorized access to sensitive environments. This feature would strengthen security controls, prevent unintended deployments, and align CircleCI’s access model with best practices for environment separation. Let us know if additional details or clarifications are needed. We appreciate your consideration!