Configuration tries to use the registration endpoint even when passed --token <token>

[Caeleron]

Describe the bug
When running the configuration of the runner unattended, some means of authenticating is required. The documentation at https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization claims that a token from that endpoint can be used with the --token <token> option. Instead, the runner attempts to obtain a new one with a PAT that may or may not be passed to it (See ConfigurationManager.cs#L111) In the case that it isn't, the configuration fails with a 404.

To Reproduce
Steps to reproduce the behavior:

1. Obtain a registration token from https://api.github.com/orgs/ORG/actions/runners/registration-token, where ORG is a valid organization. Call this registration token TOKEN.
2. Run ./config --unattended --url https://github.com/ORG --token TOKEN
3. An error is printed out and the runner exits

Expected behavior
What is described to be possible in https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization

Runner Version and Platform

Version 2.291.1, Commit 496ec0d

OS of the machine running the runner? OSX/Windows/Linux/...
Linux, Ubuntu 20.04.4 LTS

What's not working?

Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration'
{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).

Job Log Output

N/A

Runner and Worker's Diagnostic Logs

N/A

[ruvceskistefan]

Hi @Caeleron,
Thanks for reporting this issue. I'll try to reproduce it, so I'll get back to you as soon as I have more information.

[ruvceskistefan]

I tried to reproduce the issue you reported, but I had no problem with org runner configuration. Are you sure that your token just didn't expire, since the token generated this way expires after an hour?

[Caeleron]

I used the token immediately after generating it. I know that the PAT used to generate the registration token is valid and has the permissions needed because passing it to the runner via --pat PAT works.

[ruvceskistefan]

Hi @Caeleron,

My coworker and I tried to reproduce this issue again, but we had no problems configuring the runner. I'm sending you a link to the documentation where you have instructions for self-checking (mainly connection/internet stuff and similar). Let me know if any of this helped you.

[Caeleron]

The runner is able to access GitHub without any issues. In fact, the registration endpoint works when called from the runner when passed a valid PAT. However, the problem happens when I try to manually produce the registration token using the same PAT and endpoint as the runner, which produces a valid token but the runner instead attempts to use it as a token to request a registration token.

[Caeleron]

I found the debug traces for both cases.

Using token:

[2022-05-10 15:02:21Z INFO ConfigurationManager] ConfigureAsync
[2022-05-10 15:02:21Z INFO ConfigurationStore] IsConfigured()
[2022-05-10 15:02:21Z INFO ConfigurationStore] IsConfigured: False
[2022-05-10 15:02:21Z INFO ConfigurationManager] Is configured: False
[2022-05-10 15:02:21Z INFO CommandSettings] Arg 'url': 'https://github.com/ORG'
[2022-05-10 15:02:21Z INFO CommandSettings] Remove url from Arg dictionary.
[2022-05-10 15:02:21Z INFO CommandSettings] Arg 'token': '***'
[2022-05-10 15:02:21Z INFO CommandSettings] Remove token from Arg dictionary.
[2022-05-10 15:02:21Z ERR  Terminal] WRITE ERROR: Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration'
[2022-05-10 15:02:21Z ERR  Terminal] WRITE ERROR: {"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
[2022-05-10 15:02:21Z ERR  Runner] System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at GitHub.Runner.Listener.Configuration.ConfigurationManager.GetTenantCredential(String githubUrl, String githubToken, String runnerEvent)
   at GitHub.Runner.Listener.Configuration.ConfigurationManager.ConfigureAsync(CommandSettings command)
   at GitHub.Runner.Listener.Runner.ExecuteCommand(CommandSettings command)

Using PAT:

[2022-05-10 17:48:06Z INFO ConfigurationManager] ConfigureAsync
[2022-05-10 17:48:06Z INFO ConfigurationStore] IsConfigured()
[2022-05-10 17:48:06Z INFO ConfigurationStore] IsConfigured: False
[2022-05-10 17:48:06Z INFO ConfigurationManager] Is configured: False
[2022-05-10 17:48:06Z INFO CommandSettings] Arg 'url': 'https://github.com/ORG'
[2022-05-10 17:48:06Z INFO CommandSettings] Remove url from Arg dictionary.
[2022-05-10 17:48:06Z INFO ConfigurationManager] Retriving runner registration token using GitHub PAT.
[2022-05-10 17:48:06Z INFO ConfigurationManager] Http response code: Created from 'POST https://api.github.com/orgs/ORG/actions/runners/registration-token'
[2022-05-10 17:48:07Z INFO ConfigurationManager] Retrived runner registration token is good to 2022-05-10T14:48:06.708-04:00.
[2022-05-10 17:48:07Z INFO ConfigurationManager] Http response code: OK from 'POST https://api.github.com/actions/runner-registration'
[2022-05-10 17:48:07Z INFO ConfigurationManager] cred retrieved via GitHub auth

As a reminder, this is using the same PAT for both, so there is no way that the PAT can be invalid.

[neilmock]

We are having the same issue, our entrypoint is here:

https://gist.github.com/neilmock/2b996ddc17bb8dd5bfe23a18f1e1d968

[andreasweberd]

Note: the token provided in

https://github.com/organizations//settings/actions/runners/new

is not static, it expires fast so this happens when not using the token immediately

[Caeleron]

This is not using the token generated by the web interface at https://github.com/organizations/ORG/settings/actions/runners/new. This is using the API endpoint at https://api.github.com/orgs/ORG/actions/runners/registration-token.

The use case for all of this is generating runners on the fly without someone manually configuring the instance through the web interface.

[kamal-shaker]

I have the issue too, I'm running auto-scaled instances. I fixed it by getting a new token. So the issue appears to be the length of time the tokens are valid for, we can't specify a length, nor is it documented what it is, so it's almost useless for our longer running auto-scaled instances.

[aut0]

I think GitHub changed the API, check here:
https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization

[Caeleron]

The documentation and API looks to be the same from when I was referring to it back in May 2022. The example curl command and subsequent call to ./config.sh also looks the same to what I had originally attempted. (See original post)

[noozo]

+1. Seems like Github really wants you paying for their own runners.

[sasideveloper]

I am seeing the same issue, but its not consistent. Sometimes, registration goes through, few times, it fails.

[KanHarI]

Same issue here. Appeared just now, worked perfectly until 1 week ago

[andrejusc]

What that 404 stands for here? If that short lived token is already expired - then we should be getting 401 or 403 ideally, but I'm also getting same as others when token is expired:

[runner] | # Authentication
[runner] |
Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration'
{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).
An error occurred: Not configured. Run config.(sh/cmd) to configure the runner.
exit code: 1

At the moment utilizing version 2.300.2 of runner.

[ilibar-zpt]

Same issue
404 is extremely confusing as well, should be 401 or 403

[Schokostoffdioxid]

I used the token immediately after generating it. I know that the PAT used to generate the registration token is valid and has the permissions needed because passing it to the runner via --pat PAT works.

the --pat was fixing my Problem with the Registration, Thanks!

[faridfaoudi]

Using personal access token with fine-grained permissions work fine for me

[ruvceskistefan]

Hi All,
I'll close this issue since the problem is not happening anymore. If anybody counters a similar issue feel free to reopen the issue and we'll investigate further.

[Caeleron]

@ruvceskistefan The issue is definitely not fixed. People have been misreading the issue and claiming it has been working. It is not fixed.

The personal access token works, but that is not the bug at hand. The bug is that the --token field does not work.

[oojacoboo]

@ruvceskistefan The issue was an expired token for me. I think the response code should be updated. A 404 is not sufficient for this error.

[Caeleron]

@oojacoboo This issue has nothing to do with expired personal access tokens. This is involving the registration token that can be generated here: https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization

@ruvceskistefan Please reopen the issue, as the issue is not fixed. I don't seem to have the ability to. I will need to make a new issue if this is not re-opened.

[amontalban]

I'm having this error as well, the message is not that clear.

$ ./config.sh --url https://github.com/TeamAround/Around --token TOKEN

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication

Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration' (Request Id: ID)
{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).

[maeghan-porter]

I am getting this error randomly when using ARC in an EKS cluster. Obviously it's not an issue of an expired or incorrect token since it fails only randomly. It's also worth mentioning that the last time it failed for me, it was literally in the middle of running a workflow (2 minutes in), which seems strange since the runner should have already been registered before picking up the job? Unless it has to re-register every few mins or something?

[Ankit-Kr-Verma]

Hi,
Facing same issue here for enterprise repo, while trying to register the token(PAT) for Github actions using docker based self hosted runners, getting 404 error.

Steps to reproduce the behaviour:
Obtain a registration token from https://api.github.com/orgs/ORG/actions/runners/registration-token, where ORG is a valid organisation.
Call this registration token TOKEN.
Run ./config --unattended --url https://github.com/ORG --token TOKEN
An error is printed out. Attaching the screenshot:

Base Image: Ubuntu 20.04
Runner Version- Version 2.304.0 and Platform - linux/amd64 ubuntu:20.04
OS of the machine running the runner? Mac-M1.
Token (PAT): The minimum permission scopes required on the PAT token to register a self hosted runner are: "repo", "read:org"

Expected behaviour
It should have registered the token and self hosted runner should be registered against the repository.

What's not working?
Http response code: NotFound from 'POST https://api.github.com/actions/runner-registration'
{"message":"Unable to find owner runner.","documentation_url":"https://docs.github.com/rest"}
Response status code does not indicate success: 404 (Not Found).

[clowa]

Also faced this issue using the --token parameter. Turns out the runner tokens are just valid for 1h and I was just using an expired token.

[lromanowicz]

hey @ruvceskistefan - any update on this?

[Ankit-Kr-Verma]

Hi, in my case I'm using refresh token only still getting the same issue as mentioned in the above comment

[Ankit-Kr-Verma]

Hi, any update on this comment ?

[rupertbg]

Also faced this issue using the --token parameter. Turns out the runner tokens are just valid for 1h and I was just using an expired token.

It's probably this

If you get this issue when setting up a runner from the documentation then take into account that the token that is provided in the command expires

So if you copy paste this command
./config.sh --url https://github.com/{org here} --token {token here}
from a tab that you've had open for a while the token will be expired

[bhohbaum]

I got a 404 from the github auth REST endpoint with win11 powershell when i wrote
--url and --token. but it magically worked also on win11 after i recognized, that i should write --Url and --Token, as i did under linux a few hours before.
These parameters seem to be somehow case sensitive.

[sandorspruit]

Having the same issue here, trying to programmatically attach a self-hosted runner to a specific repository. Using a PAT for my account to acquire a registration token, then pass that token to "./config.sh". Weird thing is: manually entering the three required commands seems to work, but doing the same thing in a shell script, in a Docker container doesn't. No clue why. I even checked the timezone on the container, but to no avail.

Problem solved: turns out an environment variable passed down to the container had an invalid value, which caused the error in the configuration script.

[Qix-]

For anyone running into this issue when trying to adapt a script they've found on the internet to run GA Runners in e.g. docker, make sure the curl call to the actions/runners/registrationtoken endpoint is actually api.github.com/repos/${ORG}/${REPO}/..., not api.github.com/orgs/${ORG}/.... The latter is for registering runners at the org level, the former is for the repository level.

Actually, you immediately get back Resource not accessible by personal access token. This is because, per the docs, you must give it repository admin privileges, which means you're opening up that repository to a security risk just to have this functionality, which sucks, because the alternative is opening up potentially sensitive runners to the organization because 1) they're the only runners creatable by PAT tokens in a quasi-secure way, and 2) you must have Github Enterprise to use runner groups, which are a security feature.

GG, Github. Actively working against OSSers trying to get stuff done securely.

[DonaldFoss-SCC]

https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization

Are you sure that your token just didn't expire, since the token generated this way expires after an hour?

This is what my was, though I really question returning an HTTP 404 error when it is a token expiry issue. Shouldn't that be a different 4XX error, something that might hint that authorization is the issue, not have us searching for why an API says it isn't there?

[DonaldFoss-SCC]

For anyone running into this issue when trying to adapt a script they've found on the internet to run GA Runners in e.g. docker, make sure the curl call to the actions/runners/registrationtoken endpoint is actually api.github.com/repos/${ORG}/${REPO}/..., not api.github.com/orgs/${ORG}/.... The latter is for registering runners at the org level, the former is for the repository level.

Actually, you immediately get back Resource not accessible by personal access token. This is because, per the docs, you must give it repository admin privileges, which means you're opening up that repository to a security risk just to have this functionality, which sucks, because the alternative is opening up potentially sensitive runners to the organization because 1) they're the only runners creatable by PAT tokens in a quasi-secure way, and 2) you must have Github Enterprise to use runner groups, which are a security feature.

GG, Github. Actively working against OSSers trying to get stuff done securely.

I feel you on that. GitHub's docs on security scopes look clear until you try to use them.

Is the work you did to get this working public and shareable or internal consumption only? I'm trying to get something similar to work with JIT runners, using GH App id and key to create JWT to call the JIT API, but keep getting bad credentials. I'd love to not reinvent the wheel over and over again. If it rolls, I'll use it or modify it to suit my needs.

[odinho]

I finally got this working, I had refreshed the tab many times (and hardly had waited a minute before trying to run it). What seems to have fixed it for me in the end is using the --replace flag for the config:

./config.sh --replace --url https://github.com/ORG --token TOKEN

Don't know if GitHub was actually having some downtime, or if it was indeed the --replace that fixed it though. 🤷

[ashleynguci]

I finally got this working as well. Our ACCESS_TOKEN was expired so I need to generate a new PAT( don't forget to authorize your org to this token) and update our REG_TOKEN with the new ACCESS_TOKEN:

REG_TOKEN=$(curl -sX POST -H "Authorization: token $ACCESS_TOKEN" https://api.github.com/repos/$REPO_POINTER/actions/runners/registration-token | jq .token --raw-output)

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-a-repository

[kyleparisi]

I was getting various 404s. Most were of this flavor: Unable to find runner owner. I finally found that the registration token url and the registration runner url differ slightly. Heres a snippet with just the data:

GITHUB_REGISTER_NAMESPACE=xxx # i.e. orgs/myorg or repos/kyleparisi/repo
https://api.github.com/$GITHUB_REGISTER_NAMESPACE/actions/runners/registration-token

GITHUB_RUNNER_NAMESPACE=xxx # i.e. myorg or kyleparisi/repo
./config.sh --url "https://github.com/$GITHUB_RUNNER_NAMESPACE" ...

[krishna007-cloud]

I used the token immediately after generating it. I know that the PAT used to generate the registration token is valid and has the permissions needed because passing it to the runner via --pat PAT works.

Using new token , worked for me.

[DeepestDesire]

I tried to reproduce the issue you reported, but I had no problem with org runner configuration. Are you sure that your token just didn't expire, since the token generated this way expires after an hour?

Using new token , worked for me. thank you.

[AlexanderStout]

As many people said, you need to go to Settings->Runners->New self-hosted runner page from scratch to regenerate the token you see in the generated code snipped

[tedsteen]

Got hit by this bug today. And the strange thing is it worked a couple of weeks ago, now I need to use --pat

@Caeleron did you ever find a solution or did you just settle on using --pat?

[electropolis]

I can admit that it doesn't work either. Half day spending how to debug that damn thing trying to register runner using TOKEN received from https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization

I don't know what is

The token must have the following permission set:

organization_self_hosted_runners:write

There is NO organization_self_hosted_runners group when creating classic pat.
I received the Token added it to command and hangs

ansible@srv-app-1:~/actions-runner$ ./config.sh --replace --url https://github.com/sonic-networks --token xxxx

--------------------------------------------------------------------------------
|        ____ _ _   _   _       _          _        _   _                      |
|       / ___(_) |_| | | |_   _| |__      / \   ___| |_(_) ___  _ __  ___      |
|      | |  _| | __| |_| | | | | '_ \    / _ \ / __| __| |/ _ \| '_ \/ __|     |
|      | |_| | | |_|  _  | |_| | |_) |  / ___ \ (__| |_| | (_) | | | \__ \     |
|       \____|_|\__|_| |_|\__,_|_.__/  /_/   \_\___|\__|_|\___/|_| |_|___/     |
|                                                                              |
|                       Self-hosted runner registration                        |
|                                                                              |
--------------------------------------------------------------------------------

# Authentication

--check gives me FAIL only here

**********************************************************************************************************************
**  Check:               GitHub Actions Connection
**  Description:         Check if the Actions runner has access to the GitHub Actions service.
**********************************************************************************************************************
**                                                                                                                  **
**                                            F A I L                                                               **
**                                                                                                                  **
**********************************************************************************************************************
** Log: /home/ansible/actions-runner/_diag/ActionsCheck_20240404-152536-utc.log
** Help Doc: https://github.com/actions/runner/blob/main/docs/checks/actions.md

That provides

ansible@srv-app-1:~/actions-runner$ grep 'Http request' /home/ansible/actions-runner/_diag/ActionsCheck_20240404-152536-utc.log
2024-04-04T15:25:36.8626335Z Http request 'GET' to https://codeload.github.com/_ping succeed
2024-04-04T15:25:36.8900423Z Http request 'GET' to https://api.github.com/ failed with Unauthorized
2024-04-04T15:25:37.6587220Z Http request 'GET' to https://vstoken.actions.githubusercontent.com/_apis/health succeed
2024-04-04T15:25:37.6710355Z Http request 'GET' to https://pipelines.actions.githubusercontent.com/_apis/health succeed
2024-04-04T15:25:37.9925644Z Http request 'GET' to https://results-receiver.actions.githubusercontent.com/health succeed
2024-04-04T15:25:38.0915047Z Http request 'POST' to https://pipelines.actions.githubusercontent.com/_apis/health has expected HTTP response header

[LuWang1983]

I just want to add that after I updated the permission scope of the pat token to have the repo:administration:read and write access, it worked on endpoint https://api.github.com/repos/<OWNER>/<REPO>/actions/runners/registration-token. But I agree that the 404 not found error is very misleading. I initially thought it was the api that was not found. Error handling in Github API endpoint needs to be improved.

If you are making calls to https://api.github.com/<orgs>/<ORG>/actions/runners/registration-token, your fine-grained token needs the organization_self_hosted_runners:write access. And if it's a classic, it needs repo:admin access. GitHub documentation mixes info about the token access and types together, it was a bit hard to read.

[Yifei0727]

I encountered same error message. thanks #issuecomment-1369682006
This surprised me because I expected a 401 (Unauthorized) or 403 (Forbidden) error code instead of a 404 (Not Found).

Here's how I fixed it:

I went to https://github.com/<OWNER>/<REPO>/settings/actions/runners/new and copied the new token code.
I updated the token used as a command-line parameter for the tool I was using.
This resolved the issue. The problem was indeed caused by an invalid or expired token.

Note: the token provided in

https://github.com/organizations//settings/actions/runners/new

is not static, it expires fast so this happens when not using the token immediately

[FelixSchladt]

I also have the same issue.

I have a token generation server, which hold the (definitely valid PAT with admin read+write), that provides the token to my self hosted runner via api, which is immediately used.

As i get that TOKEN via the PAT issued, i would also expect the PAT to be valid and have the correct access rights.
How is this not fixed or at least some helpful error message provided?

[MohanSaiTeki]

Just sharing my experience. We seen same issue when we hit the API Limit. Please cross check API Limit as well.

https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28

[rocallahan]

Some good advice piling up here. In my case, the error was because I was providing a repo URL when I was providing an org token and I needed to provide the corresponding org URL.

[parliament718]

Based on all the info here, the following works for me:

RUNNER_TOKEN=$(curl -s -X POST -H "Authorization: token ${GITHUB_TOKEN}" https://api.github.com/orgs/${GITHUB_ORG}/actions/runners/registration-token | jq -r .token)

./config.sh --replace --name ${ENVIRONMENT} --url https://github.com/${GITHUB_ORG} --runnergroup Default --url https://github.com/${GITHUB_ORG}/${GITHUB_REPO} --token ${RUNNER_TOKEN} --work /home/builder/actions-runner/runner --labels self-hosted,Linux,X64 --unattended

That is, a RUNNER_TOKEN is created using the organization-level endpoint, using a PAT with organization-level Self-Hosted Runners permissions (no need for Repo Admin permissions).

When using that token it's imperative to use the organization endpoint for --url and pass the repository url to --runnergroup.

Earlier somebody said runnergroup was for enterprise subscriptions only. I find that to not be the case. It works for me on the free Organization plan.

[shufps]

Issue is closed but I wanted to report my findings with the ephemeral mode too ...

I tried it out and re-registered the runners after each run new because it automatically gets removed from the github runners.

Doing this I also run in this 404 problem and additionally I was not able to obtain a new token because of API rate limit although I was never issuing 1000 requests per hour and I shared a token between threads and renewed it after 30min. Ofc I couldn't share the token between servers.

Putting the github personal access token inside the runner is a no-go so I haven't done this workaround.

I switched then to --once and it's working great - one big gear less that can break ... I hope the parameter never gets removed.

By the way, SIGTERM handling should be pulled straight, imHo, then I could live with neither ephemeral nor once^^ It's impossible to shutdown the runner clean with SIGTERM without killing jobs and getten CI Actions to hang in some weird state where you even can't remove the runners for an hour or so.