diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index 40748d7..f9f4009 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -18,12 +18,12 @@ # simultaneous runner pods; single-replica constraint below). # # Credentials: -# OnePasswordItem "GitHub Runner Registration Token" → Secret +# OnePasswordItem "GitHub PAT (Runner Registration)" → Secret # github-runner-token with field "credential" used as RUNNER_TOKEN. # Operator must create/rotate the 1P item manually; registration tokens -# expire after 1h — use a fine-grained PAT with admin:org_hook scope -# or a re-registration script. See docs/infrastructure/ -# self-hosted-runner-fleet.md §Security. +# expire after 1h — use a fine-grained PAT with Administration:read/write +# scope on the target repos, or a re-registration script. See +# docs/infrastructure/self-hosted-runner-fleet.md §Security. # # Security model: # - No ClusterRole / ClusterRoleBinding — runner has no K8s API access. @@ -52,8 +52,10 @@ metadata: --- # 1Password secret sync — creates github-runner-token K8s Secret. # Fields expected in the 1Password item: -# credential — GitHub runner registration token (or PAT for re-reg script) -# Item path: IAmWorkin vault > "GitHub Runner Registration Token" +# credential — GitHub fine-grained PAT (Administration:read/write on +# target repos) used by the runner image to mint a fresh +# short-lived registration token at pod start. +# Item path: IAmWorkin vault > "GitHub PAT (Runner Registration)" # Operator MUST create this item before the Deployment will start cleanly. apiVersion: onepassword.com/v1 kind: OnePasswordItem @@ -64,7 +66,7 @@ metadata: app.kubernetes.io/component: credentials app.kubernetes.io/part-of: flowercore spec: - itemPath: vaults/IAmWorkin/items/GitHub Runner Registration Token + itemPath: vaults/IAmWorkin/items/GitHub PAT (Runner Registration) --- apiVersion: v1 kind: PersistentVolumeClaim