Runner: Individual permissions for organization level self hosted runners

Created on 22 Apr 2020  路  11Comments  路  Source: actions/runner

We are very excited with the release of organization level self-hosted runners. However, it looks like the permission structure that was released with the org level self-hosted runners is a bit limiting. The permissions selected apply to all org level runners.

Enhancement: I request this be enhanced so that each org level runner can have its own set of security permissions.

Context/Scenario:

  • Team1 in our org has over 30 repos that all need to be built on a specific self-hosted runner that has access to resources that only that team should use.
  • Team2 in our org has over 50 repos that all need to use a different self-hosted runner with resources specific to that team.
  • Team1 should not be able to use the runner for Team2 and Team2 should not be able to use the runner for Team1.

Our organization has been looking at migrating all our cicd to Github Actions and this is currently a blocker. I'm happy to provide more details if needed. Thanks!

Service Feature

Most helpful comment

馃憢 Thanks for your feedback @timharris777. We're currently working on a way to group runners within an organization or enterprise that should land this quarter.

All 11 comments

@timharris777 thanks for reaching out.

@chrispat @bryanmacfarlane for this request.

馃憢 @timharris777 - yep, we have feature work on the backlog for adding some sort of grouping construct that permissions can hang off of.

Just curious what quarter this backlog item is slated for? I ask because I'm working on automation around ephemeral repo level runners for our organization to work around the missing security on org level runners. If it's going to be sooner than later I might punt on this work.

i have similar case here, for now, i think one workaround is to specify the runner label for grouping, but not access isolation.

Also interested, and I'm crossing fingers that https://github.com/actions/runner/issues/517 and https://github.com/actions/runner/issues/555 are a step to solving this issue. IMO a way of grouping repos and having runners registered to the group is the best solution. My current company has several orgs, one of which has north of 3000 repos, so there is zero chance of having org level runners.

@bryanmacfarlane , any progress on this one? Would love to help test if possible.

@bryanmacfarlane , any progress on this one? Would love to help test if possible.

馃憢 Thanks for your feedback @timharris777. We're currently working on a way to group runners within an organization or enterprise that should land this quarter.

Very exciting to hear this is on the roadmap for this quarter!

It'd be nice if the PATs for the registration-token API didn't need full admin:org read/write permissions and Owner privileges on the org. Is that part of the planned feature release?

It'd be nice if the PATs for the registration-token API didn't need full admin:org read/write permissions and Owner privileges on the org. Is that part of the planned feature release?

That's something we're planning on doing, but it won't be part of this specific feature. In the meantime, you can register a GitHub app with the org and use the organization_self_hosted_runners permission: https://developer.github.com/v3/apps/permissions/#permission-on-self-hosted-runners

Ooh, okay thank you!

Was this page helpful?
0 / 5 - 0 ratings