actions
Runner Scale Set Auth Secret Does Not Support GH App Client ID
Checks
- [X] I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
- [X] I am using charts that are officially provided
Controller Version
0.9.3
Deployment Method
Helm
Checks
- [X] This isn't a question or user support case (For Q&A and community support, go to Discussions).
- [X] I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes
To Reproduce
1. Create an auth secret to authenticate a runner scale set, use the GH App's Client ID (not App ID) in the "github_app_id" secret parameter.
2. Attempt to use this secret when deploying the helm chart for a new runner scale set. Observe the reconciler error stating `"strconv.ParseInt: parsing \"[GH APP CLIENT ID HERE]\": invalid syntax"`.
Describe the bug
While deploying a runner scale set, I attempted to use the GH App client ID rather than the GH App ID. This produces the following error in the reconciler:
ERROR Reconciler error {"controller": "autoscalingrunnerset", "controllerGroup": "actions.github.com", "controllerKind": "AutoscalingRunnerSet", "AutoscalingRunnerSet": {"name":"gh-arc-runners","namespace":"arc-runners"}, "namespace": "arc-runners", "name": "gh-arc-runners", "reconcileID": "bad05748-8745-447f-bac3-62d771451fe0", "error": "strconv.ParseInt: parsing "I[REDACTED FOR SECURITY REASONS}": invalid syntax"}
However, per the GH App Docs an App ID and Client ID should both be allowed in the iss parameter of a JWT token. Additionally, GitHub seems to be guiding people to use the Client ID for authenticating GH Apps instead of the App ID (messaging such as:
Using your App ID to get installation tokens? You can now use your Client ID instead.
appears on the app configuration page).
When I run this with an App ID instead of a Client ID the runner scale set deploys as expected.
Describe the expected behavior
I'd expect the Client ID to be able to be used when deploying a new Runner Scale Set.
Additional Context
None.
Controller Logs
See note above about the relevant logs output by the controller.
Runner Pod Logs
None, since the runner pod never was deployed because of this error.
Hello! Thank you for filing an issue.
The maintainers will triage your issue shortly.
In the meantime, please take a look at the troubleshooting guide for bug reports.
If this is a feature request, please review our contribution guidelines.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey, @molson504x.
Thanks for sharing your experience and validating my own. I ran into the same problem today as I attempted to use a Terraform module to deploy arc. I ran into the same problem you did. If you're looking to create a Kubernetes secret with gh_app_id, gh_app_installation_id, and gh_app_private_key, this is what worked for me:
- Navigate to https://github.com/organizations/YOUR_ORGANIZATION/settings/installations
- Left-click
Configureon the GitHub app you created - Rip the
INSTALLATION_IDinteger from the URL - Store it and set it where needed
I hope this helps or you've found the same workaround already 👍
@Link- / @nikola-jokic - Looks like the code is always treating the GitHub App ID as an int (calling ParseInt). However, customers have been advised to move to using the Client ID everywhere that they formerly used App ID. Since the Client ID is alphanumeric, the call to ParseInt will fail. This issue still reproduces in 0.11.0.
References:
- https://github.blog/changelog/2024-05-01-github-apps-can-now-use-the-client-id-to-fetch-installation-tokens/
- https://github.blog/changelog/2024-08-23-client-ids-are-now-included-in-app-api-responses/
