1. CircleCI Support Center
  2. Using CircleCI
  3. Settings and Integration

Blocking Builds Org-wide through Config Policies

Avatar
Chungjung

Overview

As an organization owner, you may want to temporarily block all builds across all projects and branches. For example, during infrastructure maintenance, critical environment changes, or a release freeze. In this case, you can achieve it by the config policy, and this article provides a sample policy for it.

Note

This article refers to config policy management which is only available to organizations on a Scale Plan.

 

org_wide_pause policy

The org_wide_pause policy below allows you to enforce a pause safely and quickly. It ensures that all pipelines within the organization are halted, except for those explicitly exempted (such as a CI project used to publish or manage policies).

package org

import future.keywords

policy_name["org_wide_pause"]

enable_rule["org_wide_rule"] 
hard_fail["org_wide_rule"]

org_wide_rule = reason {
        not data.meta.project_id == "99999999-9999-9999-9999-999999999999"
    reason := sprintf("Builds have been blocked by admin temporarily for GitHub org: %s", [data.meta.project_id])
}

 

This policy prevents all pipelines from running within the organization.

  • The exception logic not data.meta.project_id == "99999999-9999-9999-9999-999999999999" ensures that the builds from the policy management project are still allowed. This means you can continue to publish, update, or disable policies even during a full pause.

  • Any project ID not matching the exception will fail with the following message:
    "Builds have been blocked by admin temporarily for GitHub org: [project_id]"

 

Additional Notes:

Project-Level Exceptions

If you are publishing policies via CI in a specific project, replace the project ID (99999999-9999-9999-9999-999999999999) with the actual project ID for your policy management repository.

This ensures that only that project continues to build, allowing you to make controlled changes to your policies while everything else remains paused.

  • Example:

not data.meta.project_id == "f8f8f8f8-f8f8-f8f8-f8f8-f8f8f8f8f8f8"

 

Org-Wide Block

If you want to block all projects entirely, simply leave the placeholder project ID (99999999-9999-9999-9999-999999999999) as-is. 

Any project ID that does not match it will be blocked. You would have to push and enable policies via the CLI in this scenario.

 

Additional Resources:

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more