ansible-github_actions_runner icon indicating copy to clipboard operation
ansible-github_actions_runner copied to clipboard

Published 20 hours ago verified publisher icon MonolithProjects

feature: Documentation for how to use with the new Fine-grained personal access tokens

Open stianlagstad opened this issue 2 years ago • 2 comments

Summary

At https://github.com/settings/tokens?type=beta there's now a new type of Personalized Access Tokens (PATs) called fine-grained personal access tokens. Creating these looks different than creating "classic" PATs. The readme of this repository currently says

The token must have the repo scope (when creating a repo runner) or the admin:org scope (when creating a runner for an organization). Personal Access Token for GitHub account can be created here.

Which is correct for the classic PATs, but since the process looks a bit different for the new fine-grained PATs: Could a description for how to use these be added? It's not clear to me how to configure them.

Issue Type

Feature Idea

stianlagstad avatar May 05 '23 12:05 stianlagstad

I've managed to make this role work with the new Fine-grained token, for a runner at org-scope.

On the Organisation settings, I've set:

  • Allow access via fine-grained personal access tokens
  • Require administrator approval
  • Restrict access via personal access tokens (classic)

On my Personnal Github account (I am the org owner, for that matter), I've created a fine-grained PAT:

  • In the field "Resource owner", don't forget to select the organization you are member of!
  • Repository access > Public repo (read-only): my org have no public repos, but I think this is irrelevant
  • In the Organization Permissions, you need to put Read and write access to "Administration" and "Self-hosted runners"

See also: https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#organization-administration

Hope it help someone, and YES please update documentation for this, even if this is a Github beta feature it is now well-known!

4wk- avatar May 31 '23 09:05 4wk-

Is there any information why this scripts needs read/write access to Administration? I mean, even if you told me, what you want to do, I am not giving a random script from the internet the permission to completely delete our organization on GitHub, access to billings, and to membership - that simply does not work! Is there not any way around that? Right now, this solution will not be used in our company, period.

kratenko avatar Mar 08 '24 14:03 kratenko

Looking at the latest version of the API, I don't think it is necessary to give Administration access. Should be enough to have Read and write on Self-hosted runners only.

UPDATE: oh, it is the same version as referenced above :D

UPDATE: nevermind, seems like admin access is required. The fine-grained tokens are not fine-grained enough. Bummer.

AtomicFS avatar Feb 14 '25 13:02 AtomicFS