services.github-runners.<name>.tokenFile
The full path to a file which contains either
- a fine-grained personal access token (PAT),
- a classic PAT
- or a runner registration token
Changing this option or the tokenFile’s content triggers a new runner registration.
We suggest using the fine-grained PATs. A runner registration token is valid only for 1 hour after creation, so the next time the runner configuration changes this will give you hard-to-debug HTTP 404 errors in the configure step.
The file should contain exactly one line with the token without any newline.
(Use echo -n '…token…' > …token file… to make sure no newlines sneak in.)
If the file contains a PAT, the service creates a new registration token on startup as needed. If a registration token is given, it can be used to re-register a runner of the same name but is time-limited as noted above.
For fine-grained PATs:
Give it "Read and Write access to organization/repository self hosted runners",
depending on whether it is organization wide or per-repository. You might have to
experiment a little, fine-grained PATs are a beta Github feature and still subject
to change; nonetheless they are the best option at the moment.
For classic PATs:
Make sure the PAT has a scope of admin:org for organization-wide registrations
or a scope of repo for a single repository.
For runner registration tokens:
Nothing special needs to be done, but updating will break after one hour, so these are not recommended.
- Type
absolute path- Example
"/run/secrets/github-runner/nixos.token"- Declared
- <nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>