Merge pull request #196728 from veehaitch/github-runner-new-pats

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/github-runner: support fine-grained personal access tokens

authored by

Domen Kožar and committed by

GitHub 3 years ago d2cfe468 5d2330dd

+5 -4

2 changed files

expand all

unified split

nixos

modules

services

continuous-integration

github-runner

options.nix

service.nix

+3 -2

nixos/modules/services/continuous-integration/github-runner/options.nix

··· 42 type = types.path; 43 description = lib.mdDoc '' 44 The full path to a file which contains either a runner registration token or a 45 - personal access token (PAT). 46 The file should contain exactly one line with the token without any newline. 47 If a registration token is given, it can be used to re-register a runner of the same 48 name but is time-limited. If the file contains a PAT, the service creates a new 49 registration token on startup as needed. Make sure the PAT has a scope of 50 `admin:org` for organization-wide registrations or a scope of 51 - `repo` for a single repository. 52 53 Changing this option or the file's content triggers a new runner registration. 54 '';

··· 42 type = types.path; 43 description = lib.mdDoc '' 44 The full path to a file which contains either a runner registration token or a 45 + (fine-grained) personal access token (PAT). 46 The file should contain exactly one line with the token without any newline. 47 If a registration token is given, it can be used to re-register a runner of the same 48 name but is time-limited. If the file contains a PAT, the service creates a new 49 registration token on startup as needed. Make sure the PAT has a scope of 50 `admin:org` for organization-wide registrations or a scope of 51 + `repo` for a single repository. Fine-grained PATs need read and write permission 52 + to the "Adminstration" resources. 53 54 Changing this option or the file's content triggers a new runner registration. 55 '';

+2 -2

nixos/modules/services/continuous-integration/github-runner/service.nix

··· 134 ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} 135 ${optionalString cfg.ephemeral "--ephemeral"} 136 ) 137 - # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, 138 # if it is not a PAT, we assume it contains a registration token and use the --token option 139 token=$(<"${newConfigTokenPath}") 140 - if [[ "$token" =~ ^ghp_* ]]; then 141 args+=(--pat "$token") 142 else 143 args+=(--token "$token")

··· 134 ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} 135 ${optionalString cfg.ephemeral "--ephemeral"} 136 ) 137 + # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option, 138 # if it is not a PAT, we assume it contains a registration token and use the --token option 139 token=$(<"${newConfigTokenPath}") 140 + if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then 141 args+=(--pat "$token") 142 else 143 args+=(--token "$token")