Doubt about app_token.sh

[Abramo-Bagnara]

I've not found anything in documentation about the GitHub App permissions needed to be able to register a runner for a given repo/org/enterprise.

I've read the needed PAT permission here
https://github.com/myoung34/docker-github-actions-runner/wiki/Usage#token-scope

but the mapping to App permission is not trivial. Can you help me?

[myoung34]

I don't have this answer off hand, but if you can find minimal permissions I'm happy to put them on the wiki

[timnolte]

This also appears to be an issue for me as well. I can't seem to get a working PAT that actually authenticates without a 404 failure and I can only get a runner working temporarily by supplying a RUNNER_TOKEN which eventually doesn't work anymore.

[timnolte]

OK, to follow up I think the problem is the new Fine-grained tokens setup. I was able to successfully create a classic token selecting all of the permissions as outlined in the Usage guide for token scopes. After that I was able to drop the RUNNER_TOKEN and only use the ACCESS_TOKEN and things seem to be working. I think it will be critical going forward that we do figure out what the permissions setup is going to be needed using the Fine-grained tokens.

[kranzo]

[...]
These endpoints are available for authenticated users, OAuth Apps, and GitHub Apps. Access tokens require repo scope for private repositories and public_repo scope for public repositories. GitHub Apps must have the administration permission for repositories the organization_self_hosted_runners permission for organizations. Authenticated users must have admin access to repositories or organizations, or the manage_runners:enterprise scope for enterprises to use these endpoints.

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28

I'm not sure if the PAT permissions are minimal right now but had no time to check yet :)

[chantra]

The GH app needs admin:org permission per https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#:~:text=POST%20/orgs/%7Borg%7D/actions/runners/registration%2Dtoken%20(write)

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization

[chantra]

replace org by repo/enterprise depending on your use-case.

[chantra]

@myoung34 could you update the wiki with that information?

[kranzo]

The GH app needs admin:org permission per https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#:~:text=POST%20/orgs/%7Borg%7D/actions/runners/registration%2Dtoken%20(write)

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization

the documentation seems to be wrong here:

according to this

org:Self-hosted runners Write permissions

are sufficient which corresponds with my tests.

so it would be :

• repo:admin for repository runners
• org:Self-hosted runners for org runners

[myoung34]

If someone can give me the full explicit version of what I should document I'm more than happy to do so

Are one of you willing to consolidate your findings for me? This is not a portion of this image I use often enough and my brains are pretty fried at this point 😆

If youll post a concise summary of permissions and a description Ill definitely commit it to the wiki 🙏

[sloede]

As far as I can tell, https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28 gives a good overview of what is needed in terms of permissions for registering/managing runners:

• when using a classic personal access token (PAT):
  • repo/public_repo scope for repo runners
  • admin:org for org runners
• when using a GitHub App/fine-grained access token:
  • administration for repo runners
  • organization_self_hosted_runners for org runners

EDIT: Oh, and of course one would always need "read and write" permissions, since creating a registration token is a POST operation.

[sloede]

After conducting an experiment, I can confirm that organization_self_hosted_runners with read & write permissions is sufficient for registering runners with GitHub App authentication.

[myoung34]

Thanks!