Skip to content

Add support for run in organization #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add support for run in organization #239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
aac7763
Add support for run in organization (#1)
brunovesar Jul 28, 2025
a4a856d
update index dist
brunovesar Jul 28, 2025
e85412a
Allow run runner in org for fine grained token permissions
brunovesar Jul 25, 2025
40ce295
update context
brunovesar Jul 28, 2025
3532a8c
Merge branch 'allow-run-runner-in-org' into bruno/runner-in-org
brunovesar Jul 28, 2025
8ceba13
update runner registration
brunovesar Jul 29, 2025
56d4704
update runner registration
brunovesar Jul 29, 2025
bc6d698
Merge branch 'bruno/runner-in-org' into allow-run-runner-in-org
brunovesar Jul 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,10 @@ Use the following steps to prepare your workflow for running on your EC2 self-ho

**2. Prepare GitHub personal access token**

1. Create a new GitHub personal access token with the `repo` scope.
The action will use the token for self-hosted runners management in the GitHub account on the repository level.
1. Create a fine-grained personal access token with the required permissions:
- **Repository-level runners (default):** Repository permissions: Administration (read/write), Contents (read)
- **Organization-level runners:** Organization permissions: Self-hosted runners (read/write)
Repository permissions: Contents (read)
2. Add the token to GitHub secrets.

**3. Prepare EC2 image**
Expand Down Expand Up @@ -205,7 +207,7 @@ Now you're ready to go!
|               Name               | Required | Description |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `mode` | Always required. | Specify here which mode you want to use: <br> - `start` - to start a new runner; <br> - `stop` - to stop the previously created runner. |
| `github-token` | Always required. | GitHub Personal Access Token with the `repo` scope assigned. |
| `github-token` | Always required. | Fine-grained GitHub Personal Access Token with appropriate permissions (see setup instructions above). |
| `ec2-image-id` | Required if you use the `start` mode. | EC2 Image Id (AMI). <br><br> The new runner will be launched from this image. <br><br> The action is compatible with Amazon Linux 2 images. |
| `ec2-instance-type` | Required if you use the `start` mode. | EC2 Instance Type. |
| `subnet-id` | Required if you use the `start` mode. | VPC Subnet Id. <br><br> The subnet should belong to the same VPC as the specified security group. |
Expand All @@ -224,6 +226,7 @@ Now you're ready to go!
| `ec2-volume-size` | Optional | Defines the size of the EC2 Volume in GB, will use the AWS default of 8 GB if not provided. |
| `ec2-device-name` | Optional | Defines the device name used for the root volume. |
| `ec2-volume-type` | Optional | Defines the device type used for the root volume. |
| `run-runner-in-org` | Optional | Default: false. When set to true, the runner will be registered at the organization level instead of the repository level. This allows using fine-grained personal access tokens with only the "Self-hosted runners" organization permission and "Contents" repository permission, avoiding the need for repository admin permissions. |

### Environment variables

Expand Down Expand Up @@ -270,6 +273,8 @@ jobs:
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
# Optional: Use organization-level runner for enhanced security
# run-runner-in-org: true
ec2-image-id: ami-123
ec2-instance-type: t3.nano
subnet-id: subnet-123
Expand Down Expand Up @@ -310,6 +315,8 @@ jobs:
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
# Optional: Use organization-level runner for enhanced security
# run-runner-in-org: true
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}
```
Expand Down
4 changes: 4 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,10 @@ inputs:
description: >-
Specify user under whom the runner service should run
required: false
run-runner-in-org:
description: >-
Runner is run in repo by default, but can also be run under the org
required: false
ec2-volume-size:
description: >-
EC2 volume size in GB.
Expand Down
Loading