kookie
/
nomicon
1
0
Fork 0
Code Issues Projects Releases 1 Activity

nixos/github-runners: support fine-grained personal access tokens

Browse Source 
Add support for GitHub's new fine-grained personal access tokens [1]. As
opposed to the classic PATs, those start with `github_pat_` instead of
`ghp_`.

Make sure to use a token which has read and write access to the
"Administration" resource group [2] to allow for registrations of new
runners.

[1] https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

[2] https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration
main
Vincent Haupert 2 years ago
parent ff27dc3a09
commit ea8cf2e486
2 changed files with 5 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      nixos/modules/services/continuous-integration/github-runner/options.nix
  2. 4
      nixos/modules/services/continuous-integration/github-runner/service.nix

5
nixos/modules/services/continuous-integration/github-runner/options.nix
Unescape View File

@ -42,13 +42,14 @@ with lib;
type = types.path; type = types.path;
description = lib.mdDoc '' description = lib.mdDoc ''
The full path to a file which contains either a runner registration token or a The full path to a file which contains either a runner registration token or a
personal access token (PAT). (fine-grained) personal access token (PAT).
The file should contain exactly one line with the token without any newline. The file should contain exactly one line with the token without any newline.
If a registration token is given, it can be used to re-register a runner of the same If a registration token is given, it can be used to re-register a runner of the same
name but is time-limited. If the file contains a PAT, the service creates a new name but is time-limited. If the file contains a PAT, the service creates a new
registration token on startup as needed. Make sure the PAT has a scope of registration token on startup as needed. Make sure the PAT has a scope of
`admin:org` for organization-wide registrations or a scope of `admin:org` for organization-wide registrations or a scope of
`repo` for a single repository. `repo` for a single repository. Fine-grained PATs need read and write permission
to the "Adminstration" resources.
Changing this option or the file's content triggers a new runner registration. Changing this option or the file's content triggers a new runner registration.
''; '';

4
nixos/modules/services/continuous-integration/github-runner/service.nix
Unescape View File

@ -134,10 +134,10 @@ with lib;
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"} ${optionalString cfg.ephemeral "--ephemeral"}
) )
# If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option # if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}") token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]]; then if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token") args+=(--pat "$token")
else else
args+=(--token "$token") args+=(--token "$token")

Write Preview
Loading…
Cancel
Save