pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #196728 from veehaitch/github-runner-new-pats

nixos/github-runner: support fine-grained personal access tokens

authored by

Domen Kožar and committed by
GitHub d2cfe468 5d2330dd

+5 -4
unified split
+3 -2
nixos/modules/services/continuous-integration/github-runner/options.nix
··· 42 42 type = types.path; 43 43 description = lib.mdDoc '' 44 44 The full path to a file which contains either a runner registration token or a 45 - personal access token (PAT). 45 + (fine-grained) personal access token (PAT). 46 46 The file should contain exactly one line with the token without any newline. 47 47 If a registration token is given, it can be used to re-register a runner of the same 48 48 name but is time-limited. If the file contains a PAT, the service creates a new 49 49 registration token on startup as needed. Make sure the PAT has a scope of 50 50 `admin:org` for organization-wide registrations or a scope of 51 - `repo` for a single repository. 51 + `repo` for a single repository. Fine-grained PATs need read and write permission 52 + to the "Adminstration" resources. 52 53 53 54 Changing this option or the file's content triggers a new runner registration. 54 55 '';
+2 -2
nixos/modules/services/continuous-integration/github-runner/service.nix
··· 134 134 ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} 135 135 ${optionalString cfg.ephemeral "--ephemeral"} 136 136 ) 137 - # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, 137 + # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, 138 138 # if it is not a PAT, we assume it contains a registration token and use the --token option 139 139 token=$(<"${newConfigTokenPath}") 140 - if [[ "$token" =~ ^ghp_* ]]; then 140 + if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then 141 141 args+=(--pat "$token") 142 142 else 143 143 args+=(--token "$token")