From ea8cf2e486ab38e92c809891aa5de1be57a1e497 Mon Sep 17 00:00:00 2001
From: Vincent Haupert <mail@vincent-haupert.de>
Date: Wed, 19 Oct 2022 13:50:00 +0200
Subject: [PATCH] nixos/github-runners: support fine-grained personal access
 tokens

Add support for GitHub's new fine-grained personal access tokens [1]. As
opposed to the classic PATs, those start with `github_pat_` instead of
`ghp_`.

Make sure to use a token which has read and write access to the
"Administration" resource group [2] to allow for registrations of new
runners.

[1] https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

[2] https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration
---
 .../continuous-integration/github-runner/options.nix         | 5 +++--
 .../continuous-integration/github-runner/service.nix         | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/continuous-integration/github-runner/options.nix b/nixos/modules/services/continuous-integration/github-runner/options.nix
index ae89d3a3bfb6..796b5a7f1175 100644
--- a/nixos/modules/services/continuous-integration/github-runner/options.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/options.nix
@@ -42,13 +42,14 @@ with lib;
     type = types.path;
     description = lib.mdDoc ''
       The full path to a file which contains either a runner registration token or a
-      personal access token (PAT).
+      (fine-grained) personal access token (PAT).
       The file should contain exactly one line with the token without any newline.
       If a registration token is given, it can be used to re-register a runner of the same
       name but is time-limited. If the file contains a PAT, the service creates a new
       registration token on startup as needed. Make sure the PAT has a scope of
       `admin:org` for organization-wide registrations or a scope of
-      `repo` for a single repository.
+      `repo` for a single repository. Fine-grained PATs need read and write permission
+      to the "Adminstration" resources.
 
       Changing this option or the file's content triggers a new runner registration.
     '';
diff --git a/nixos/modules/services/continuous-integration/github-runner/service.nix b/nixos/modules/services/continuous-integration/github-runner/service.nix
index 4dc8445495a6..49195410bb42 100644
--- a/nixos/modules/services/continuous-integration/github-runner/service.nix
+++ b/nixos/modules/services/continuous-integration/github-runner/service.nix
@@ -134,10 +134,10 @@ with lib;
               ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
               ${optionalString cfg.ephemeral "--ephemeral"}
             )
-            # If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,
+            # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
             # if it is not a PAT, we assume it contains a registration token and use the --token option
             token=$(<"${newConfigTokenPath}")
-            if [[ "$token" =~ ^ghp_* ]]; then
+            if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
               args+=(--pat "$token")
             else
               args+=(--token "$token")