Skip to content

Github Actions runner only usable for organizations, not regular users? #704

New issue
New issue
Open
Open
Github Actions runner only usable for organizations, not regular users?#704
@Ocramius

Description

@Ocramius
Ocramius
opened on Oct 14, 2025

After various hours of tinkering with the Github actions runner role provided by this repository, I figured out that it can't work for me.

I'm therefore opening this issue for:

  1. others to be able to skip the effort I put into this
  2. perhaps expand scope of this project to regular users

The main culprit seems to be here:

srvos/nixos/modules/github-runners/service.nix

Lines 130 to 140 in c9fc31a

unconfigureRunnerGitHubApp = writeScript "unconfigure-github-app" ''
set -euo pipefail
export APP_ID=${cfg.githubApp.id}
export APP_LOGIN=${cfg.githubApp.login}
export RUNNER_SCOPE="org"
export ORG_NAME="${cfg.githubApp.login}"
export APP_PRIVATE_KEY=$(cat ${cfg.githubApp.privateKeyFile})
ACCESS_TOKEN=$(${app_token}/bin/fetch_access_token)
export ACCESS_TOKEN
umask 000
export RUNNER_NAME=${escapeShellArg cfg.name}

As you can see, RUNNER_SCOPE="org" is hardcoded here.

I then tried adding a workaround in a private fork, but stumbled on completely different behavior for regular users here:

srvos/nixos/modules/github-runners/token.sh

Lines 41 to 59 in c9fc31a

case ${RUNNER_SCOPE} in
org*)
_FULL_URL="${URI}/orgs/${ORG_NAME}/actions/runners/registration-token"
;;
ent*)
_FULL_URL="${URI}/enterprises/${ENTERPRISE_NAME}/actions/runners/registration-token"
;;
*)
_PROTO="https://"
# shellcheck disable=SC2116
_URL="$(echo "${REPO_URL/${_PROTO}/}")"
_PATH="$(echo "${_URL}" | grep / | cut -d/ -f2-)"
_ACCOUNT="$(echo "${_PATH}" | cut -d/ -f1)"
_REPO="$(echo "${_PATH}" | cut -d/ -f2)"
_FULL_URL="${URI}/repos/${_ACCOUNT}/${_REPO}/actions/runners/registration-token"
;;
esac

It seems like regular users need to define a REPO_URL environment variable, which then ends up generating a token URL like:

https://api.github.com/repos/$APP_LOGIN/$REPO_URL/actions/runners/registration-token

This URL seems to 404 for me, around this location:

srvos/nixos/modules/github-runners/token.sh

Lines 61 to 66 in c9fc31a

RUNNER_TOKEN="$(curl -XPOST -fsSL \
-H "${CONTENT_LENGTH_HEADER}" \
-H "${AUTH_HEADER}" \
-H "${API_HEADER}" \
"${_FULL_URL}" |
jq -r '.token')"

I can't seem to enable access to specific repositories for my app ( https://github.com/settings/apps/$NAME_OF_APP_HERE) installation ( https://github.com/settings/installations/$INSTALLATION_ID).

Does anybody know if personal accounts setup is just cursed, or if there's a way to add github runners also that way?

EDIT: related: https://github.com/orgs/community/discussions/43524 - the manage_runners:enterprise scope is needed for the generated token, as it seems. I'm not 100% sure where that would be done: it feels like a completely different flow?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions