fix(github-runner): switch RUNNER_TOKEN -> ACCESS_TOKEN; set RUN_AS_ROOT=false

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 22:08:56 +00:00
parent c7be58c1f7
commit 6f6ca50987
1 changed files with 14 additions and 2 deletions
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
@@ -163,12 +163,24 @@ spec:
            # Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux]
            - name: LABELS
              value: "self-hosted,linux,fc-build-linux"
-            # Registration token injected from 1Password via OnePasswordItem CRD.
-            - name: RUNNER_TOKEN
+            # PAT (not pre-minted registration token) — myoung34/github-runner
+            # mints registration tokens itself via GitHub API when ACCESS_TOKEN
+            # is set. Switched from RUNNER_TOKEN -> ACCESS_TOKEN on 2026-05-16
+            # because the 1P "GitHub PAT (Runner Registration)" item stores a
+            # fine-grained PAT, not a short-lived registration token.
+            - name: ACCESS_TOKEN
              valueFrom:
                secretKeyRef:
                  name: github-runner-token
                  key: credential
+            # myoung34/github-runner default entrypoint expects root for some
+            # setup steps. With securityContext.runAsUser=1001 the entrypoint
+            # short-circuits with "RUN_AS_ROOT env var is set to true but the
+            # user has been overridden and is not running as root". Tell the
+            # entrypoint we're explicitly NOT root so it skips the root-only
+            # setup steps (cache prewarm + apt updates — both already baked).
+            - name: RUN_AS_ROOT
+              value: "false"
          resources:
            requests:
              cpu: "500m"