movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-25 10:36:36 +03:00
Code Activity

nixos/github-runners: support fine-grained personal access tokens

Browse source 
Add support for GitHub's new fine-grained personal access tokens [1]. As
opposed to the classic PATs, those start with `github_pat_` instead of
`ghp_`.

Make sure to use a token which has read and write access to the
"Administration" resource group [2] to allow for registrations of new
runners.

[1] https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/

[2] https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration
This commit is contained in:
Vincent Haupert 2022-10-19 13:50:00 +02:00
parent ff27dc3a09
commit ea8cf2e486
2 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nixos/modules/services/continuous-integration/github-runner/options.nix
View file

@ -42,13 +42,14 @@ with lib;
type = types.path; type = types.path;
description = lib.mdDoc '' description = lib.mdDoc ''
The full path to a file which contains either a runner registration token or a The full path to a file which contains either a runner registration token or a
personal access token (PAT). (fine-grained) personal access token (PAT).
The file should contain exactly one line with the token without any newline. The file should contain exactly one line with the token without any newline.
If a registration token is given, it can be used to re-register a runner of the same If a registration token is given, it can be used to re-register a runner of the same
name but is time-limited. If the file contains a PAT, the service creates a new name but is time-limited. If the file contains a PAT, the service creates a new
registration token on startup as needed. Make sure the PAT has a scope of registration token on startup as needed. Make sure the PAT has a scope of
`admin:org` for organization-wide registrations or a scope of `admin:org` for organization-wide registrations or a scope of
`repo` for a single repository. `repo` for a single repository. Fine-grained PATs need read and write permission
to the "Adminstration" resources.
Changing this option or the file's content triggers a new runner registration. Changing this option or the file's content triggers a new runner registration.
''; '';

4
nixos/modules/services/continuous-integration/github-runner/service.nix
View file

@ -134,10 +134,10 @@ with lib;
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"} ${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"} ${optionalString cfg.ephemeral "--ephemeral"}
) )
# If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option, # If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option # if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}") token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]]; then if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token") args+=(--pat "$token")
else else
args+=(--token "$token") args+=(--token "$token")