From 6f6ca5098710880fe6281d2eb25bf14adc79260a Mon Sep 17 00:00:00 2001 From: Codex Date: Sat, 16 May 2026 22:08:56 +0000 Subject: [PATCH] fix(github-runner): switch RUNNER_TOKEN -> ACCESS_TOKEN; set RUN_AS_ROOT=false Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/github-runner/github-runner.yaml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index ca796f7..fc08fad 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -163,12 +163,24 @@ spec: # Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux] - name: LABELS value: "self-hosted,linux,fc-build-linux" - # Registration token injected from 1Password via OnePasswordItem CRD. - - name: RUNNER_TOKEN + # PAT (not pre-minted registration token) — myoung34/github-runner + # mints registration tokens itself via GitHub API when ACCESS_TOKEN + # is set. Switched from RUNNER_TOKEN -> ACCESS_TOKEN on 2026-05-16 + # because the 1P "GitHub PAT (Runner Registration)" item stores a + # fine-grained PAT, not a short-lived registration token. + - name: ACCESS_TOKEN valueFrom: secretKeyRef: name: github-runner-token key: credential + # myoung34/github-runner default entrypoint expects root for some + # setup steps. With securityContext.runAsUser=1001 the entrypoint + # short-circuits with "RUN_AS_ROOT env var is set to true but the + # user has been overridden and is not running as root". Tell the + # entrypoint we're explicitly NOT root so it skips the root-only + # setup steps (cache prewarm + apt updates — both already baked). + - name: RUN_AS_ROOT + value: "false" resources: requests: cpu: "500m"