pyrox.dev / nixpkgs
lol
fork atom

nixos/github-runners: support fine-grained personal access tokens

Add support for GitHub's new fine-grained personal access tokens [1]. As
opposed to the classic PATs, those start with `github_pat_` instead of
`ghp_`.

Make sure to use a token which has read and write access to the
"Administration" resource group [2] to allow for registrations of new
runners.

[1] https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

[2] https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration

Vincent Haupert ea8cf2e4 ff27dc3a

options
unified split
Changed files
+5 -4
nixos
modules
services
continuous-integration
github-runner
options.nix
service.nix
+3 -2
nixos/modules/services/continuous-integration/github-runner/options.nix 
···

       
42

       
42

       
 

       
    type = types.path;


     

       
43

       
43

       
 

       
    description = lib.mdDoc ''


     

       
44

       
44

       
 

       
      The full path to a file which contains either a runner registration token or a


     

       
45

       

       
-

       
      personal access token (PAT).


     

       

       
45

       
+

       
      (fine-grained) personal access token (PAT).


     

       
46

       
46

       
 

       
      The file should contain exactly one line with the token without any newline.


     

       
47

       
47

       
 

       
      If a registration token is given, it can be used to re-register a runner of the same


     

       
48

       
48

       
 

       
      name but is time-limited. If the file contains a PAT, the service creates a new


     

       
49

       
49

       
 

       
      registration token on startup as needed. Make sure the PAT has a scope of


     

       
50

       
50

       
 

       
      `admin:org` for organization-wide registrations or a scope of


     

       
51

       

       
-

       
      `repo` for a single repository.


     

       

       
51

       
+

       
      `repo` for a single repository. Fine-grained PATs need read and write permission


     

       

       
52

       
+

       
      to the "Adminstration" resources.


     

       
52

       
53

       
 

       



     

       
53

       
54

       
 

       
      Changing this option or the file's content triggers a new runner registration.


     

       
54

       
55

       
 

       
    '';
+2 -2
nixos/modules/services/continuous-integration/github-runner/service.nix 
···

       
134

       
134

       
 

       
              ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}


     

       
135

       
135

       
 

       
              ${optionalString cfg.ephemeral "--ephemeral"}


     

       
136

       
136

       
 

       
            )


     

       
137

       

       
-

       
            # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,


     

       

       
137

       
+

       
            # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,


     

       
138

       
138

       
 

       
            # if it is not a PAT, we assume it contains a registration token and use the --token option


     

       
139

       
139

       
 

       
            token=$(<"${newConfigTokenPath}")


     

       
140

       

       
-

       
            if [[ "$token" =~ ^ghp_* ]]; then


     

       

       
140

       
+

       
            if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then


     

       
141

       
141

       
 

       
              args+=(--pat "$token")


     

       
142

       
142

       
 

       
            else


     

       
143

       
143

       
 

       
              args+=(--token "$token")