GitHub App: 404 on repo-level registration token when using enterprise-level app installation #4392
Description
Description
When using a GitHub App created at the enterprise level and installed in an organization, ARC returns a 404 error when attempting to register a runner at the repository scope (githubConfigUrl pointing to a specific repo). The same app credentials work correctly for organization-scope registration.
Environment
- ARC version: 0.13.1 (gha-runner-scale-set + gha-runner-scale-set-controller)
- GitHub: GitHub Enterprise Cloud (github.com)
- Kubernetes: GKE
GitHub App Configuration
- App created at the enterprise level
- Installed in the organization with "All repositories" access
- Permissions:
- Repository > Administration: Read and write
- Repository > Metadata: Read-only
- Repository > Code: Read
- Organization > Self-hosted runners: Read and write
Working Configuration (org-level)
apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
spec:
githubConfigUrl: https://github.com/<org>
githubConfigSecret: enterprise-app-secretThis registers successfully and the runner picks up jobs.
Failing Configuration (repo-level)
apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
spec:
githubConfigUrl: https://github.com/<org>/<repo>
githubConfigSecret: enterprise-app-secret # same secret as aboveError
ERROR Reconciler error {"controller": "autoscalingrunnerset", ...,
"error": "failed to create new actions service request: failed to issue update token if needed:
failed to get runner registration token on refresh: github api error: StatusCode 404,
RequestID \"...\": {\"message\":\"Not Found\",
\"documentation_url\":\"https://docs.github.com/rest/actions/self-hosted-runners#create-a-registration-token-for-a-repository\",
\"status\":\"404\"}"}
Analysis
ARC's fetchAccessToken in github/actions/client.go creates an installation access token via POST /app/installations/{id}/access_tokens with an empty request body (no repository scoping).
The returned token is then used to call:
- Org-level:
POST /orgs/{org}/actions/runners/registration-token→ 201 OK - Repo-level:
POST /repos/{org}/{repo}/actions/runners/registration-token→ 404 Not Found
Both endpoints use the same installation access token. The app has Administration: Read and write permission and "All repositories" access, so the repo-level endpoint should succeed.
Important: A different GitHub App (installed directly at the org level, not enterprise level) works correctly for repo-level registration on the same repository with the same permissions. This suggests the issue is specific to how enterprise-level app installations generate access tokens or how GitHub resolves permissions for enterprise app tokens on repo-level endpoints.
Workaround
Use organization-level githubConfigUrl instead of repository-level when authenticating with an enterprise-level GitHub App.
Expected Behavior
Enterprise-level GitHub App installations with Repository > Administration: Read and write permission and "All repositories" access should be able to register runners at the repository scope, the same as org-level app installations.