bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

chore(github-runner): rename 1P item to GitHub PAT (Runner Registration)

Browse Source 
Renames the OnePasswordItem.itemPath from "GitHub Runner Registration
Token" to "GitHub PAT (Runner Registration)" so the runner 1P entry
sits next to its siblings — GitHub PAT (Gitea Mirrors) and GitHub PAT
(NuGet Packages) — under a consistent "GitHub PAT (...)" naming pattern
and API_CREDENTIAL category.

Existing field "credential" remains the consumer (RUNNER_TOKEN env).
Comment block clarified to require Administration:read/write fine-grained
PAT scope on target repos.

Old 1P item renamed to "[DEPRECATED 2026-05-16] GitHub Runner
Registration" — kept as recovery backup; can be hard-deleted after the
first successful runner pod start against the new item path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Codex
2026-05-16 10:27:58 -05:00
parent 7d2daaa4f8
commit 710340d8be
1 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
apps/github-runner/github-runner.yaml
View File

@@ -18,12 +18,12 @@
# simultaneous runner pods; single-replica constraint below). # simultaneous runner pods; single-replica constraint below).
# #
# Credentials: # Credentials:
# OnePasswordItem "GitHub Runner Registration Token" → Secret # OnePasswordItem "GitHub PAT (Runner Registration)" → Secret
# github-runner-token with field "credential" used as RUNNER_TOKEN. # github-runner-token with field "credential" used as RUNNER_TOKEN.
# Operator must create/rotate the 1P item manually; registration tokens # Operator must create/rotate the 1P item manually; registration tokens
# expire after 1h — use a fine-grained PAT with admin:org_hook scope # expire after 1h — use a fine-grained PAT with Administration:read/write
# or a re-registration script. See docs/infrastructure/ # scope on the target repos, or a re-registration script. See
# self-hosted-runner-fleet.md §Security. # docs/infrastructure/self-hosted-runner-fleet.md §Security.
# #
# Security model: # Security model:
# - No ClusterRole / ClusterRoleBinding — runner has no K8s API access. # - No ClusterRole / ClusterRoleBinding — runner has no K8s API access.
@@ -52,8 +52,10 @@ metadata:
--- ---
# 1Password secret sync — creates github-runner-token K8s Secret. # 1Password secret sync — creates github-runner-token K8s Secret.
# Fields expected in the 1Password item: # Fields expected in the 1Password item:
# credential — GitHub runner registration token (or PAT for re-reg script) # credential — GitHub fine-grained PAT (Administration:read/write on
# Item path: IAmWorkin vault > "GitHub Runner Registration Token" # target repos) used by the runner image to mint a fresh
# short-lived registration token at pod start.
# Item path: IAmWorkin vault > "GitHub PAT (Runner Registration)"
# Operator MUST create this item before the Deployment will start cleanly. # Operator MUST create this item before the Deployment will start cleanly.
apiVersion: onepassword.com/v1 apiVersion: onepassword.com/v1
kind: OnePasswordItem kind: OnePasswordItem
@@ -64,7 +66,7 @@ metadata:
app.kubernetes.io/component: credentials app.kubernetes.io/component: credentials
app.kubernetes.io/part-of: flowercore app.kubernetes.io/part-of: flowercore
spec: spec:
itemPath: vaults/IAmWorkin/items/GitHub Runner Registration Token itemPath: vaults/IAmWorkin/items/GitHub PAT (Runner Registration)
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim