Search code examples
github-actionsamazon-eks

Github Actions Runners Enterprise PAT permissions

Has anyone verified what PAT permissions work for Github Actions for Github cloud Enterprise runners?
Specifically https://github.com, not the on-prem option.

https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication
This article indicates it may not be certain exactly what perms are needed.

I have a user PAT with (manage_runners:enterprise) as the only permission. It also has SSO authorization on the org the actions are running on.

It is correctly triggering the webhook and creating a runner, but never assigns the task to the runner. The label match is just "self-hosted", and the runners are open to all orgs and all workflows in the enterprise.

I can see the runner show up in the runner groups list in github ui.

The pod 'listens' for about ten minutes, then this is the access denied error I am seeing in the Pod Logs before it terminates and basically gives up.

2022-08-12 20:09:39.810  DEBUG --- Runner successfully configured.
{
  "agentId": 204,
  "agentName": "ghrunner-ext-57zzb-qqvzc",
  "poolId": 5,
  "poolName": "test",
  "ephemeral": true,
  "serverUrl": "https://pipelines.actions.githubusercontent.com/fMYN...",
  "gitHubUrl": "https://github.com/enterprises/myorg",
  "workFolder": "/runner/_work"
2022-08-12 20:09:39.890  DEBUG --- Docker enabled runner detected and Docker daemon wait is enabled
2022-08-12 20:09:39.913  DEBUG --- Waiting until Docker is available or the timeout is reached
Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?
}CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

√ Connected to GitHub


Current runner version: '2.295.0'
2022-08-12 18:45:13Z: Listening for Jobs
An error occurred: Access denied. System:ServiceIdentity;DDDDDDDD-DDDD-DDDD-DDDD-DDDDDDDDDDDD needs View permissions to perform the action.
Runner listener exit with retryable error, re-launch runner in 5 seconds.
Restarting runner...

√ Connected to GitHub

Failed to create a session. The runner registration has been deleted from the server, please re-configure.
Runner listener exit with terminated error, stop the service, no retry needed.
Exiting runner...

I can't tell what it's even trying to do that it is denied for. I'm guessing this is a Github permission error.

Running Actions helm version 0.25.2 in AWS EKS.

Solution

  • Ok, well. To answer my own question.

    Yes that PAT perm (manage_runners:enterprise) is enough.

    Somehow, the runner groups at the ORG level was not configured for 'All repositories' as I thought it was. The UI changed recently, and I saw 'All workflows' and got that mixed up. So if you see the above error, that could be why.

    btw: The Docker debug messages didn't seem to be an actual problem.

    One more tip for the road, set githubEnterpriseServerURL when working with on-prem Github servers, but you should not need to set any of the URL values when using the default public Github. ref: https://github.com/actions-runner-controller/actions-runner-controller/tree/master/charts/actions-runner-controller