Fine-grained PAT permissions for organization level self-hosted runners #59733
Replies: 5 comments 2 replies
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Totally agree. I've brought this up in some other threads as well: https://github.com/orgs/community/discussions/36441#discussioncomment-6420901 |
Beta Was this translation helpful? Give feedback.
-
Bump please 🙏 This severe security issue makes the awesome grouping feature totally useless 😓 |
Beta Was this translation helpful? Give feedback.
-
+1 it seems extremely bad practice to use a full access PAT for a github actions runner. |
Beta Was this translation helpful? Give feedback.
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Hello,
The documentation for creating a self-hosted runner on the organization level say that for a classic PAT,
admin:org
permission is required. Unless I've misunderstood, this means if the token were compromised, it's essentially the end of the organization (token would have permission toDELETE /orgs/{org}
).I'm therefore looking into creating a fine-grained PAT for the self-hosted runners to use, and on this there is no documentation at all. I've created a PAT with read/write permission to "Self-Hosted Runners" in "Organization permissions". With this, the self-hosted runner registers itself with the runners in the org, but when I run an action with labels matching this runner, it is queued forever "Waiting for a runner to pick up this job...", even though the runner is Idle.
On the runner itself I have run the diagnostic tool and everything is a PASS.
I guess there is some additional permission required? Help much appreciated!
Beta Was this translation helpful? Give feedback.
All reactions