Runner Registration Token requires admin access token with full privileges

[rushminatorr]

Select Topic Area

Question

Body

Hello,
We are setting up some self-hosted github runners for our organisation.
Looking at the docs, we require a runner registration token.
Since we are automating this process, we want to be very specific in permissions we assign to our ci github user which is likely to generate token.

The docs say for org token registration, we require an access token with most privileges.
"You must authenticate using an access token with the admin:org scope to use this endpoint."

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization

These permissions are too open for setting up runners. We understand we might need some level of org permissions but seems like we need GOD Mode for setting up org runners.

Is there any better way to set these up?

[Srirammkm]

We are also facing the same issue. It will be good if we have any granular access for runner registration permission.

[asiena]

You should be able to use a fine-grained token and specify "Self-hosted runner" permissions under "Organization" settings.

[tonyhutter]

To get your registration-token for your self-hosted runner, I believe you have two options:

Set Organization permissions for "Self-hosted runners"

• Applies to all repos, but with less scary privileges:

POST /orgs/{org}/actions/runners/registration-token
https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#organization-permissions-for-self-hosted-runners

Set Repository permissions for "Administration"

• Single repo only, but scarier permission (like "delete my repo")

POST /repos/{owner}/{repo}/actions/runners/registration-token
https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#repository-permissions-for-administration

github team - Could you please separate the registration-token permission from the per-repo "Administration" permissions? Or allow ultra-fine-grained permissions to select the exact API calls that are allowed (like POST /repos/{owner}/{repo}/actions/runners/registration-token)?

[pdonorio]

Something has changed.

Checking today, I can see in https://github.com/settings/personal-access-tokens/new

Using it with a few other permissions on the repo level seems to work!

[wash-amzn]

That option doesn't appear for the new fine-grained tokens. It would be great to have it added, as I don't like the idea of having to add "Administration".

[pdonorio]

see https://github.com/orgs/community/discussions/53361#discussioncomment-9289579 to make sure you don't have it

[ryanberger-az]

@pdonorio I am not seeing this on my end; can you provide more information of what level access you gave the PAT in order to get it to register the self hosted runners?

[pdonorio]

@ryanberger-az steps I made:

• go to https://github.com/settings/personal-access-tokens/new
• select "Resource owner" to be an organization
• in "Permissions" section open "Organization permissions"
• give access to "Self-hosted runners" (read and write)

You may also need permissions on the repo level (Read access to metadata and secrets,
Read and Write access to actions, actions variables, code, commit statuses, deployments, environments, pull requests, and workflows) - but at the org level nothing else than the self hosted runners

[ryanberger-az]

@pdonorio thanks! This helped. I was missing the Enrollment at the Organizational level - after I went through this wizard, I was able to make the token and link it to the org and use that PAT to enroll my runners. Thanks again!