chore(github-runner): rename 1P item to GitHub PAT (Runner Registration)
Renames the OnePasswordItem.itemPath from "GitHub Runner Registration Token" to "GitHub PAT (Runner Registration)" so the runner 1P entry sits next to its siblings — GitHub PAT (Gitea Mirrors) and GitHub PAT (NuGet Packages) — under a consistent "GitHub PAT (...)" naming pattern and API_CREDENTIAL category. Existing field "credential" remains the consumer (RUNNER_TOKEN env). Comment block clarified to require Administration:read/write fine-grained PAT scope on target repos. Old 1P item renamed to "[DEPRECATED 2026-05-16] GitHub Runner Registration" — kept as recovery backup; can be hard-deleted after the first successful runner pod start against the new item path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Codex
@@ -18,12 +18,12 @@
|
||||
# simultaneous runner pods; single-replica constraint below).
|
||||
#
|
||||
# Credentials:
|
||||
# OnePasswordItem "GitHub Runner Registration Token" → Secret
|
||||
# OnePasswordItem "GitHub PAT (Runner Registration)" → Secret
|
||||
# github-runner-token with field "credential" used as RUNNER_TOKEN.
|
||||
# Operator must create/rotate the 1P item manually; registration tokens
|
||||
# expire after 1h — use a fine-grained PAT with admin:org_hook scope
|
||||
# or a re-registration script. See docs/infrastructure/
|
||||
# self-hosted-runner-fleet.md §Security.
|
||||
# expire after 1h — use a fine-grained PAT with Administration:read/write
|
||||
# scope on the target repos, or a re-registration script. See
|
||||
# docs/infrastructure/self-hosted-runner-fleet.md §Security.
|
||||
#
|
||||
# Security model:
|
||||
# - No ClusterRole / ClusterRoleBinding — runner has no K8s API access.
|
||||
@@ -52,8 +52,10 @@ metadata:
|
||||
---
|
||||
# 1Password secret sync — creates github-runner-token K8s Secret.
|
||||
# Fields expected in the 1Password item:
|
||||
# credential — GitHub runner registration token (or PAT for re-reg script)
|
||||
# Item path: IAmWorkin vault > "GitHub Runner Registration Token"
|
||||
# credential — GitHub fine-grained PAT (Administration:read/write on
|
||||
# target repos) used by the runner image to mint a fresh
|
||||
# short-lived registration token at pod start.
|
||||
# Item path: IAmWorkin vault > "GitHub PAT (Runner Registration)"
|
||||
# Operator MUST create this item before the Deployment will start cleanly.
|
||||
apiVersion: onepassword.com/v1
|
||||
kind: OnePasswordItem
|
||||
@@ -64,7 +66,7 @@ metadata:
|
||||
app.kubernetes.io/component: credentials
|
||||
app.kubernetes.io/part-of: flowercore
|
||||
spec:
|
||||
itemPath: vaults/IAmWorkin/items/GitHub Runner Registration Token
|
||||
itemPath: vaults/IAmWorkin/items/GitHub PAT (Runner Registration)
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
|
||||
Reference in New Issue
Block a user