Runner Registration Token requires admin access token with full privileges

[rushminatorr]

Select Topic Area

Question

Body

Hello,
We are setting up some self-hosted github runners for our organisation.
Looking at the docs, we require a runner registration token.
Since we are automating this process, we want to be very specific in permissions we assign to our ci github user which is likely to generate token.

The docs say for org token registration, we require an access token with most privileges.
"You must authenticate using an access token with the admin:org scope to use this endpoint."

https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization

These permissions are too open for setting up runners. We understand we might need some level of org permissions but seems like we need GOD Mode for setting up org runners.

Is there any better way to set these up?

[Srirammkm]

We are also facing the same issue. It will be good if we have any granular access for runner registration permission.

[asiena]

You should be able to use a fine-grained token and specify "Self-hosted runner" permissions under "Organization" settings.

[tonyhutter]

To get your registration-token for your self-hosted runner, I believe you have two options:

Set Organization permissions for "Self-hosted runners"

• Applies to all repos, but with less scary privileges:

POST /orgs/{org}/actions/runners/registration-token
https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#organization-permissions-for-self-hosted-runners

Set Repository permissions for "Administration"

• Single repo only, but scarier permission (like "delete my repo")

POST /repos/{owner}/{repo}/actions/runners/registration-token
https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#repository-permissions-for-administration

github team - Could you please separate the registration-token permission from the per-repo "Administration" permissions? Or allow ultra-fine-grained permissions to select the exact API calls that are allowed (like POST /repos/{owner}/{repo}/actions/runners/registration-token)?

[pdonorio]

Something has changed.

Checking today, I can see in https://github.com/settings/personal-access-tokens/new

Using it with a few other permissions on the repo level seems to work!

[wash-amzn]

That option doesn't appear for the new fine-grained tokens. It would be great to have it added, as I don't like the idea of having to add "Administration".

[pdonorio]

see https://github.com/orgs/community/discussions/53361#discussioncomment-9289579 to make sure you don't have it

[cyclelabs-ryanberger]

@pdonorio I am not seeing this on my end; can you provide more information of what level access you gave the PAT in order to get it to register the self hosted runners?

[pdonorio]

@ryanberger-az steps I made:

• go to https://github.com/settings/personal-access-tokens/new
• select "Resource owner" to be an organization
• in "Permissions" section open "Organization permissions"
• give access to "Self-hosted runners" (read and write)

You may also need permissions on the repo level (Read access to metadata and secrets,
Read and Write access to actions, actions variables, code, commit statuses, deployments, environments, pull requests, and workflows) - but at the org level nothing else than the self hosted runners

[cyclelabs-ryanberger]

@pdonorio thanks! This helped. I was missing the Enrollment at the Organizational level - after I went through this wizard, I was able to make the token and link it to the org and use that PAT to enroll my runners. Thanks again!

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[shufps]

This is another thing where there obsiously is no security awareness - unbelievable that you need full admin permissions to manage github runners on repositories 😑

I'm switching to org runners too, ephemeral runners are simply not possible (with good conscience) for just a single repository.

[pdonorio]

see my answer and example

[wash-amzn]

That only applies to people using organizations though, right?

Edit: oh, the other answer, let me check ...

Edit2: Nope, that option for self-hosted runners doesn't show up, at least for me, when creating a new fine-grained PAT or updating an existing one.

[cyclelabs-ryanberger]

You do not have to do that anymore. They added in more granular permissions. It's called "Self-hosted runners"

I documented it here in a bit more detail; https://dev.azure.com/cyclelabs/cycle-codetemplates/_git/githubactions

Hope this helps!

ALSO, thanks @pdonorio for helping me with this. 👍

[wash-amzn]

Those instructions imply this is indeed limited to organizations, which isn't an option for me.

[bdoherty-tovala]

I've run into a similar but not sure if it's the same issue.

We have an organization account for which most of our users are "Members". They are able to create PATs for self-hosted runners with the permissions required, but the runner token exchange gives "Unauthorized Access" responses, regardless of the configurations suggested above.

However, if the user that owns the PAT becomes an account OWNER, it works. We want to have a shared account under the org that represents the org itself that can own our self-hosted runners, but we don't want that to be an account owner. This doesn't work. We can see that the response changes immediately after switching the user that owns the PAT to an Org Owner vs. Org Member.

Is this documented? Is it a bug? I can't find ANYTHING suggesting that this is a requirement, but it's the only thing that works for us.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬