Using a Fine-Grained PAT for Self-Hosted Runner Registration

[msanft]

Select Topic Area

Question

Body

Hey there!

I'm currently trying to figure out which permissions are required on a fine-grained PAT to create a registration token for a self-hosted GitHub Actions runner.

The documentation mentions that organization_self_hosted_runners:write is required, but when I create a fine-grained PAT with permissions set as follows, the API call to create the token fails:

The error message of the failing call reads:

{
  "message": "Resource not accessible by personal access token",
  "documentation_url": "https://docs.github.com/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization"
}

Are there any other permissions required for a fine-grained PAT to create runner registration tokens?

[mickeygousset]

YOu don't use a regular or a finegrained PAT to register runners. Runners have their own type of token for registration.

[mickeygousset]

Well, I'm out of initial ideas. I'll see if I can find some time to play with this and see what happens.

[mickeygousset]

@msanft Just for grins, have you tried giving your fine-grained PAT ALL THE RIGHTS, just to try it?

[msanft]

I didn't do so yet, but I'll give it a try and report back here!

[actionshrimp]

I was just able to get this to work by generating a fine-grained PAT token from an account that was a github org-level admin.

I was originally trying to do this from a non-admin 'bot' account, was able to generate the token / request approval / and then approve the token from my admin account, however this token encountered the error above. I assume there is some kind of issue with the approval process for fine-grained PATs.

Ideally I would be able to manage the token from this 'bot' account, but at least there is a workaround for now, and I feel more comfortable using this fine-grained token from my own account with just this single permission, vs a classic admin token.

For reference, this is the permission list for my new token - I am able to register new runners with just that one single permission selected.

[mickeygousset]

Are you installing the runner at the org level? Then yes, your account would need to have org level privileges. Just because you give a PAT org permissions, it still runs as you, the user, so if you don't have org owner access, you can't install the runner at the org level.

Good catch! I hadn't thought of that yet.

[mickeygousset]

Its not an issue or a workaround, it is working as designed. You can create a pat and check the box to give it org level permissions, but remember is still runs as "you", and if you aren't an org owner, then it won't have the access to do what it needs to do.

[actionshrimp]

That seems a bit counterintuitive to me, as the permission is called 'Read and write access to organization self hosted runners', is granted at organization level, and you have to be approved access by an org admin in order to generate a token with that permission.

For creating a repo level runner token, there's a separate endpoint which seems to require the administration:write permission (docs for repo level endpoint), rather than organization_self_hosted_runners:write (docs for org level endpoint.)

If you need to be an org admin to use the permission as you say, does that imply that the permission is essentially useless for anyone who isn't an org owner? If so, what's the point of the approval step?

[mickeygousset]

Correct, it is useless unless you are an org owner. Which is what you want.

otherwise, I could be a person with just read access to a repo, but using a token, I suddenly have org owner powers. That would break security.