diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 944ed41d5..91e0d726f 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -1,24 +1,23 @@
 name: Verify
-on: [push]
+on: [push, pull_request]
 
 jobs:
   verify:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
-    - name: verify
-      run: |
-        ./ci/bin/install.sh
-        ./ci/bin/verify.sh
+      - uses: actions/checkout@v1
+      - name: verify
+        run: |
+          ./ci/bin/install.sh
+          ./ci/bin/verify.sh
 
   verify-examples:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v1
-    - name: verify-examples
-      run: |
-        ./ci/bin/install.sh
-        ./ci/bin/verify-examples.sh
-
+      - uses: actions/checkout@v1
+      - name: verify-examples
+        run: |
+          ./ci/bin/install.sh
+          ./ci/bin/verify-examples.sh
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 12c85baa6..17909fecb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,11 +7,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unrelease
 
+## 4.6.0 - 2019-09-30
+- Add access_level option to registration call in runner template #134 @willychenchen 
+- Bump gitlab-runner default version to 12.3.0 #135 @loustler 
+
 ## 4.5.0 - 2019-09-09
 - Set docker machine version by default to 0.16.2 #131 @npalm
 - Add SSM session manager support #121 #126 @npalm
 - Move to github actions #130 @npalm
-- Enable s3 encryption #129 @hendrixra
+- Enable s3 encryption #129 @hendrixroa
 - Bump gitlab-runner to 12.2.0 #128 @mpsq
 
 ## 4.4.0 - 2019-08-21
@@ -231,7 +235,8 @@ Module is available as Terraform 0.11 module, pin module to version 3.x. Please
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.6.0...HEAD
+[4.6.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.5.0...4.6.0
 [4.5.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.4.0...4.5.0
 [4.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.3.0...4.4.0
 [4.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/4.2.0...4.3.0
diff --git a/README.md b/README.md
index ce5807069..57840a2ca 100644
--- a/README.md
+++ b/README.md
@@ -106,6 +106,7 @@ gitlab_runner_registration_config = {
   locked_to_project  = "true"
   run_untagged       = "false"
   maximum_timeout    = "3600"
+  access_level       = "<not_protected OR ref_protected, ref_protected runner will only run on pipelines triggered on protected branches. Defaults to not_protected>"
 }
 ```
 
@@ -252,7 +253,7 @@ terraform destroy
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `<map>` | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `<list>` | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `<map>` | no |
diff --git a/_docs/README.md b/_docs/README.md
index 0dda80ff2..5b463fdd1 100644
--- a/_docs/README.md
+++ b/_docs/README.md
@@ -105,6 +105,7 @@ gitlab_runner_registration_config = {
   locked_to_project  = "true"
   run_untagged       = "false"
   maximum_timeout    = "3600"
+  access_level       = "<not_protected OR ref_protected, ref_protected runner will only run on pipelines triggered on protected branches. Defaults to not_protected>"
 }
 ```
 
diff --git a/_docs/TF_MODULE.md b/_docs/TF_MODULE.md
index 3ca61edb8..d74961cbb 100644
--- a/_docs/TF_MODULE.md
+++ b/_docs/TF_MODULE.md
@@ -30,7 +30,7 @@
 | environment | A name that identifies the environment, used as prefix and for tagging. | string | n/a | yes |
 | gitlab\_runner\_registration\_config | Configuration used to register the runner. See the README for an example, or reference the examples in the examples directory of this repo. | map(string) | `<map>` | no |
 | gitlab\_runner\_ssh\_cidr\_blocks | List of CIDR blocks to allow SSH Access to the gitlab runner instance. | list(string) | `<list>` | no |
-| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.2.0"` | no |
+| gitlab\_runner\_version | Version of the GitLab runner. | string | `"12.3.0"` | no |
 | instance\_role\_json | Default runner instance override policy, expected to be in JSON format. | string | `""` | no |
 | instance\_type | Instance type used for the GitLab runner. | string | `"t3.micro"` | no |
 | overrides | This maps provides the possibility to override some defaults. The following attributes are supported: `name_sg` overwrite the `Name` tag for all security groups created by this module. `name_runner_agent_instance` override the `Name` tag for the ec2 instance defined in the auto launch configuration. `name_docker_machine_runners` ovverrid the `Name` tag spot instances created by the runner agent. | map(string) | `<map>` | no |
diff --git a/examples/runner-public/README.md b/examples/runner-public/README.md
index 44017fe64..82f41fbd9 100644
--- a/examples/runner-public/README.md
+++ b/examples/runner-public/README.md
@@ -11,6 +11,7 @@ This examples shows:
   - Overrides for tag naming.
   - Registration via GitLab token.
   - Auto scaling using `docker+machine` executor.
+  - Register runner as [protected](https://docs.gitlab.com/ee/ci/runners/#protected-runners).
 
 ## Prerequisite
 
diff --git a/examples/runner-public/_docs/README.md b/examples/runner-public/_docs/README.md
index 74f978636..455acea6a 100644
--- a/examples/runner-public/_docs/README.md
+++ b/examples/runner-public/_docs/README.md
@@ -10,6 +10,7 @@ This examples shows:
 - Overrides for tag naming.
 - Registration via GitLab token.
 - Auto scaling using `docker+machine` executor.
+- Register runner as [protected](https://docs.gitlab.com/ee/ci/runners/#protected-runners). 
 
 
 ## Prerequisite
diff --git a/examples/runner-public/main.tf b/examples/runner-public/main.tf
index 4772cbbd6..a1726e932 100644
--- a/examples/runner-public/main.tf
+++ b/examples/runner-public/main.tf
@@ -53,6 +53,7 @@ module "runner" {
     locked_to_project  = "true"
     run_untagged       = "false"
     maximum_timeout    = "3600"
+    access_level       = "ref_protected"
   }
 
   overrides = {
diff --git a/main.tf b/main.tf
index 89b78f96d..ee7896025 100644
--- a/main.tf
+++ b/main.tf
@@ -128,6 +128,7 @@ data "template_file" "gitlab_runner" {
     gitlab_runner_locked_to_project         = var.gitlab_runner_registration_config["locked_to_project"]
     gitlab_runner_run_untagged              = var.gitlab_runner_registration_config["run_untagged"]
     gitlab_runner_maximum_timeout           = var.gitlab_runner_registration_config["maximum_timeout"]
+    gitlab_runner_access_level              = lookup(var.gitlab_runner_registration_config, "access_level", "not_protected")
   }
 }
 
diff --git a/template/gitlab-runner.tpl b/template/gitlab-runner.tpl
index 4bc434f64..05960cb46 100644
--- a/template/gitlab-runner.tpl
+++ b/template/gitlab-runner.tpl
@@ -40,6 +40,7 @@ then
     --form "locked=${gitlab_runner_locked_to_project}" \
     --form "run_untagged=${gitlab_runner_run_untagged}" \
     --form "maximum_timeout=${gitlab_runner_maximum_timeout}" \
+    --form "access_level=${gitlab_runner_access_level}" \
     | jq -r .token)
   aws ssm put-parameter --overwrite --type SecureString  --name "${secure_parameter_store_runner_token_key}" --value $token --region "${secure_parameter_store_region}"
 fi
diff --git a/variables.tf b/variables.tf
index b64691493..4cee20690 100644
--- a/variables.tf
+++ b/variables.tf
@@ -294,7 +294,7 @@ variable "cache_shared" {
 variable "gitlab_runner_version" {
   description = "Version of the GitLab runner."
   type        = string
-  default     = "12.2.0"
+  default     = "12.3.0"
 }
 
 variable "enable_gitlab_runner_ssh_access" {
@@ -394,6 +394,7 @@ variable "gitlab_runner_registration_config" {
     locked_to_project  = ""
     run_untagged       = ""
     maximum_timeout    = ""
+    access_level       = ""
   }
 }