From 710340d8be01da63a89d1115fac48b8d9efcb5ff Mon Sep 17 00:00:00 2001 From: Codex Date: Sat, 16 May 2026 10:27:58 -0500 Subject: [PATCH] chore(github-runner): rename 1P item to GitHub PAT (Runner Registration) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Renames the OnePasswordItem.itemPath from "GitHub Runner Registration Token" to "GitHub PAT (Runner Registration)" so the runner 1P entry sits next to its siblings — GitHub PAT (Gitea Mirrors) and GitHub PAT (NuGet Packages) — under a consistent "GitHub PAT (...)" naming pattern and API_CREDENTIAL category. Existing field "credential" remains the consumer (RUNNER_TOKEN env). Comment block clarified to require Administration:read/write fine-grained PAT scope on target repos. Old 1P item renamed to "[DEPRECATED 2026-05-16] GitHub Runner Registration" — kept as recovery backup; can be hard-deleted after the first successful runner pod start against the new item path. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/github-runner/github-runner.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/apps/github-runner/github-runner.yaml b/apps/github-runner/github-runner.yaml index 40748d7..f9f4009 100644 --- a/apps/github-runner/github-runner.yaml +++ b/apps/github-runner/github-runner.yaml @@ -18,12 +18,12 @@ # simultaneous runner pods; single-replica constraint below). # # Credentials: -# OnePasswordItem "GitHub Runner Registration Token" → Secret +# OnePasswordItem "GitHub PAT (Runner Registration)" → Secret # github-runner-token with field "credential" used as RUNNER_TOKEN. # Operator must create/rotate the 1P item manually; registration tokens -# expire after 1h — use a fine-grained PAT with admin:org_hook scope -# or a re-registration script. See docs/infrastructure/ -# self-hosted-runner-fleet.md §Security. +# expire after 1h — use a fine-grained PAT with Administration:read/write +# scope on the target repos, or a re-registration script. See +# docs/infrastructure/self-hosted-runner-fleet.md §Security. # # Security model: # - No ClusterRole / ClusterRoleBinding — runner has no K8s API access. @@ -52,8 +52,10 @@ metadata: --- # 1Password secret sync — creates github-runner-token K8s Secret. # Fields expected in the 1Password item: -# credential — GitHub runner registration token (or PAT for re-reg script) -# Item path: IAmWorkin vault > "GitHub Runner Registration Token" +# credential — GitHub fine-grained PAT (Administration:read/write on +# target repos) used by the runner image to mint a fresh +# short-lived registration token at pod start. +# Item path: IAmWorkin vault > "GitHub PAT (Runner Registration)" # Operator MUST create this item before the Deployment will start cleanly. apiVersion: onepassword.com/v1 kind: OnePasswordItem @@ -64,7 +66,7 @@ metadata: app.kubernetes.io/component: credentials app.kubernetes.io/part-of: flowercore spec: - itemPath: vaults/IAmWorkin/items/GitHub Runner Registration Token + itemPath: vaults/IAmWorkin/items/GitHub PAT (Runner Registration) --- apiVersion: v1 kind: PersistentVolumeClaim