Runner Registration Token requires admin access token with full privileges #53361
Replies: 6 comments 3 replies
-
We are also facing the same issue. It will be good if we have any granular access for runner registration permission. |
Beta Was this translation helpful? Give feedback.
-
You should be able to use a fine-grained token and specify "Self-hosted runner" permissions under "Organization" settings. |
Beta Was this translation helpful? Give feedback.
-
To get your Set Organization permissions for "Self-hosted runners"
POST /orgs/{org}/actions/runners/registration-token Set Repository permissions for "Administration"
POST /repos/{owner}/{repo}/actions/runners/registration-token github team - Could you please separate the |
Beta Was this translation helpful? Give feedback.
-
Something has changed. Checking today, I can see in https://github.com/settings/personal-access-tokens/new Using it with a few other permissions on the repo level seems to work! |
Beta Was this translation helpful? Give feedback.
-
That option doesn't appear for the new fine-grained tokens. It would be great to have it added, as I don't like the idea of having to add "Administration". |
Beta Was this translation helpful? Give feedback.
-
@pdonorio I am not seeing this on my end; can you provide more information of what level access you gave the PAT in order to get it to register the self hosted runners? |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Hello,
We are setting up some self-hosted github runners for our organisation.
Looking at the docs, we require a runner
registration token
.Since we are automating this process, we want to be very specific in permissions we assign to our ci github user which is likely to generate token.
The docs say for org token registration, we require an access token with most privileges.
"You must authenticate using an access token with the admin:org scope to use this endpoint."
https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization
These permissions are too open for setting up runners. We understand we might need some level of org permissions but seems like we need GOD Mode for setting up org runners.
Is there any better way to set these up?
Beta Was this translation helpful? Give feedback.
All reactions