-
Notifications
You must be signed in to change notification settings - Fork 965
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration tries to use the registration endpoint even when passed --token <token>
#1882
Comments
Hi @Caeleron, |
I tried to reproduce the issue you reported, but I had no problem with org runner configuration. Are you sure that your token just didn't expire, since the token generated this way expires after an hour? |
I used the token immediately after generating it. I know that the PAT used to generate the registration token is valid and has the permissions needed because passing it to the runner via |
Hi @Caeleron, My coworker and I tried to reproduce this issue again, but we had no problems configuring the runner. I'm sending you a link to the documentation where you have instructions for self-checking (mainly connection/internet stuff and similar). Let me know if any of this helped you. |
The runner is able to access GitHub without any issues. In fact, the registration endpoint works when called from the runner when passed a valid PAT. However, the problem happens when I try to manually produce the registration token using the same PAT and endpoint as the runner, which produces a valid token but the runner instead attempts to use it as a token to request a registration token. |
I found the debug traces for both cases. Using token:
Using PAT:
As a reminder, this is using the same PAT for both, so there is no way that the PAT can be invalid. |
We are having the same issue, our entrypoint is here: https://gist.github.com/neilmock/2b996ddc17bb8dd5bfe23a18f1e1d968 |
Note: the token provided in https://github.com/organizations//settings/actions/runners/new is not static, it expires fast so this happens when not using the token immediately |
This is not using the token generated by the web interface at The use case for all of this is generating runners on the fly without someone manually configuring the instance through the web interface. |
I have the issue too, I'm running auto-scaled instances. I fixed it by getting a new token. So the issue appears to be the length of time the tokens are valid for, we can't specify a length, nor is it documented what it is, so it's almost useless for our longer running auto-scaled instances. |
I think GitHub changed the API, check here: |
The documentation and API looks to be the same from when I was referring to it back in May 2022. The example |
+1. Seems like Github really wants you paying for their own runners. |
I am seeing the same issue, but its not consistent. Sometimes, registration goes through, few times, it fails. |
Same issue here. Appeared just now, worked perfectly until 1 week ago |
What that 404 stands for here? If that short lived token is already expired - then we should be getting 401 or 403 ideally, but I'm also getting same as others when token is expired:
At the moment utilizing version 2.300.2 of runner. |
Same issue |
the |
Using personal access token with fine-grained permissions work fine for me |
Hi All, |
@ruvceskistefan The issue is definitely not fixed. People have been misreading the issue and claiming it has been working. It is not fixed. The personal access token works, but that is not the bug at hand. The bug is that the |
@ruvceskistefan The issue was an expired token for me. I think the response code should be updated. A 404 is not sufficient for this error. |
@oojacoboo This issue has nothing to do with expired personal access tokens. This is involving the registration token that can be generated here: https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization @ruvceskistefan Please reopen the issue, as the issue is not fixed. I don't seem to have the ability to. I will need to make a new issue if this is not re-opened. |
I'm having this error as well, the message is not that clear.
|
I am getting this error randomly when using ARC in an EKS cluster. Obviously it's not an issue of an expired or incorrect token since it fails only randomly. It's also worth mentioning that the last time it failed for me, it was literally in the middle of running a workflow (2 minutes in), which seems strange since the runner should have already been registered before picking up the job? Unless it has to re-register every few mins or something? |
Hi, Steps to reproduce the behaviour: Base Image: Ubuntu 20.04 Expected behaviour What's not working? |
Also faced this issue using the |
hey @ruvceskistefan - any update on this? |
Hi, in my case I'm using refresh token only still getting the same issue as mentioned in the above comment |
Hi, any update on this comment ? |
It's probably this If you get this issue when setting up a runner from the documentation then take into account that the token that is provided in the command expires So if you copy paste this command |
I got a 404 from the github auth REST endpoint with win11 powershell when i wrote |
Having the same issue here, trying to programmatically attach a self-hosted runner to a specific repository. Using a PAT for my account to acquire a registration token, then pass that token to "./config.sh". Weird thing is: manually entering the three required commands seems to work, but doing the same thing in a shell script, in a Docker container doesn't. No clue why. I even checked the timezone on the container, but to no avail. Problem solved: turns out an environment variable passed down to the container had an invalid value, which caused the error in the configuration script. |
Actually, you immediately get back GG, Github. Actively working against OSSers trying to get stuff done securely. |
This is what my was, though I really question returning an HTTP 404 error when it is a token expiry issue. Shouldn't that be a different 4XX error, something that might hint that authorization is the issue, not have us searching for why an API says it isn't there? |
I feel you on that. GitHub's docs on security scopes look clear until you try to use them. Is the work you did to get this working public and shareable or internal consumption only? I'm trying to get something similar to work with JIT runners, using GH App id and key to create JWT to call the JIT API, but keep getting bad credentials. I'd love to not reinvent the wheel over and over again. If it rolls, I'll use it or modify it to suit my needs. |
I finally got this working, I had refreshed the tab many times (and hardly had waited a minute before trying to run it). What seems to have fixed it for me in the end is using the
Don't know if GitHub was actually having some downtime, or if it was indeed the |
I finally got this working as well. Our ACCESS_TOKEN was expired so I need to generate a new PAT( don't forget to authorize your org to this token) and update our REG_TOKEN with the new ACCESS_TOKEN:
|
I was getting various 404s. Most were of this flavor: GITHUB_REGISTER_NAMESPACE=xxx # i.e. orgs/myorg or repos/kyleparisi/repo
https://api.github.com/$GITHUB_REGISTER_NAMESPACE/actions/runners/registration-token
GITHUB_RUNNER_NAMESPACE=xxx # i.e. myorg or kyleparisi/repo
./config.sh --url "https://github.com/$GITHUB_RUNNER_NAMESPACE" ... |
Using new token , worked for me. |
Using new token , worked for me. thank you. |
As many people said, you need to go to Settings->Runners->New self-hosted runner page from scratch to regenerate the token you see in the generated code snipped |
Got hit by this bug today. And the strange thing is it worked a couple of weeks ago, now I need to use @Caeleron did you ever find a solution or did you just settle on using |
I can admit that it doesn't work either. Half day spending how to debug that damn thing trying to register runner using TOKEN received from https://docs.github.com/en/rest/actions/self-hosted-runners?apiVersion=2022-11-28#create-a-registration-token-for-an-organization I don't know what is
There is NO
That provides
|
I just want to add that after I updated the permission scope of the pat token to have the If you are making calls to |
I encountered same error message. thanks #issuecomment-1369682006 Here's how I fixed it: I went to
|
I also have the same issue. I have a token generation server, which hold the (definitely valid PAT with admin read+write), that provides the token to my self hosted runner via api, which is immediately used. As i get that TOKEN via the PAT issued, i would also expect the PAT to be valid and have the correct access rights. |
Just sharing my experience. We seen same issue when we hit the API Limit. Please cross check API Limit as well. |
Some good advice piling up here. In my case, the error was because I was providing a repo URL when I was providing an org token and I needed to provide the corresponding org URL. |
Based on all the info here, the following works for me:
That is, a RUNNER_TOKEN is created using the organization-level endpoint, using a PAT with organization-level Self-Hosted Runners permissions (no need for Repo Admin permissions). When using that token it's imperative to use the organization endpoint for Earlier somebody said runnergroup was for enterprise subscriptions only. I find that to not be the case. It works for me on the free Organization plan. |
Issue is closed but I wanted to report my findings with the ephemeral mode too ... I tried it out and re-registered the runners after each run new because it automatically gets removed from the github runners. Doing this I also run in this 404 problem and additionally I was not able to obtain a new token because of API rate limit although I was never issuing 1000 requests per hour and I shared a token between threads and renewed it after 30min. Ofc I couldn't share the token between servers. Putting the github personal access token inside the runner is a no-go so I haven't done this workaround. I switched then to By the way, SIGTERM handling should be pulled straight, imHo, then I could live with neither ephemeral nor once^^ It's impossible to shutdown the runner clean with SIGTERM without killing jobs and getten CI Actions to hang in some weird state where you even can't remove the runners for an hour or so. |
Describe the bug
When running the configuration of the runner unattended, some means of authenticating is required. The documentation at https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization claims that a token from that endpoint can be used with the
--token <token>
option. Instead, the runner attempts to obtain a new one with a PAT that may or may not be passed to it (See ConfigurationManager.cs#L111) In the case that it isn't, the configuration fails with a 404.To Reproduce
Steps to reproduce the behavior:
https://api.github.com/orgs/ORG/actions/runners/registration-token
, whereORG
is a valid organization. Call this registration tokenTOKEN
../config --unattended --url https://github.com/ORG --token TOKEN
Expected behavior
What is described to be possible in https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-an-organization
Runner Version and Platform
Version 2.291.1, Commit 496ec0d
OS of the machine running the runner? OSX/Windows/Linux/...
Linux, Ubuntu 20.04.4 LTS
What's not working?
Job Log Output
N/A
Runner and Worker's Diagnostic Logs
N/A
The text was updated successfully, but these errors were encountered: