Don't save runner registration tolen in DB

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>

auth/context.go

@@ -23,21 +23,6 @@ import (
 
 type contextFlags string
 
-/*
-// InstanceJWTClaims holds JWT claims
-type InstanceJWTClaims struct {
-	ID     string `json:"id"`
-	Name   string `json:"name"`
-	PoolID string `json:"provider_id"`
-	// Scope is either repository or organization
-	Scope common.PoolType `json:"scope"`
-	// Entity is the repo or org name
-	Entity string `json:"entity"`
-	jwt.StandardClaims
-}
-
-*/
-
 const (
 	isAdminKey  contextFlags = "is_admin"
 	fullNameKey contextFlags = "full_name"
@@ -52,7 +37,6 @@ const (
 	instancePoolTypeKey  contextFlags = "scope"
 	instanceEntityKey    contextFlags = "entity"
 	instanceRunnerStatus contextFlags = "status"
-	instanceGithubToken  contextFlags = "github_token"
 )
 
 func SetInstanceID(ctx context.Context, id string) context.Context {
@@ -79,18 +63,6 @@ func InstanceRunnerStatus(ctx context.Context) common.RunnerStatus {
 	return elem.(common.RunnerStatus)
 }
 
-func SetInstanceGithubToken(ctx context.Context, val string) context.Context {
-	return context.WithValue(ctx, instanceGithubToken, val)
-}
-
-func InstanceGithubToken(ctx context.Context) string {
-	elem := ctx.Value(instanceGithubToken)
-	if elem == nil {
-		return ""
-	}
-	return elem.(string)
-}
-
 func SetInstanceName(ctx context.Context, val string) context.Context {
 	return context.WithValue(ctx, instanceNameKey, val)
 }
@@ -144,7 +116,6 @@ func PopulateInstanceContext(ctx context.Context, instance params.Instance) cont
 	ctx = SetInstanceName(ctx, instance.Name)
 	ctx = SetInstancePoolID(ctx, instance.PoolID)
 	ctx = SetInstanceRunnerStatus(ctx, instance.RunnerStatus)
-	ctx = SetInstanceGithubToken(ctx, string(instance.GithubRegistrationToken))
 	return ctx
 }
 

cloudconfig/templates.go

@@ -29,15 +29,12 @@ set -o pipefail
 CALLBACK_URL="{{ .CallbackURL }}"
 METADATA_URL="{{ .MetadataURL }}"
 BEARER_TOKEN="{{ .CallbackToken }}"
-GITHUB_TOKEN="{{ .GithubToken }}"
 
-if [ -z "$GITHUB_TOKEN" ];then
-	if [ -z "$METADATA_URL" ];then
-		echo "no token is available and METADATA_URL is not set"
-		exit 1
-	fi
-	GITHUB_TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${METADATA_URL}/runner-registration-token/")
+if [ -z "$METADATA_URL" ];then
+	echo "no token is available and METADATA_URL is not set"
+	exit 1
 fi
+GITHUB_TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${METADATA_URL}/runner-registration-token/")
 
 function call() {
 	PAYLOAD="$1"
@@ -106,7 +103,6 @@ type InstallRunnerParams struct {
 	RunnerUsername    string
 	RunnerGroup       string
 	RepoURL           string
-	GithubToken       string
 	MetadataURL       string
 	RunnerName        string
 	RunnerLabels      string

config/config.go

@@ -185,16 +185,16 @@ func (d *Default) Validate() error {
 	if d.CallbackURL == "" {
 		return fmt.Errorf("missing callback_url")
 	}
-
 	_, err := url.Parse(d.CallbackURL)
 	if err != nil {
 		return errors.Wrap(err, "validating callback_url")
 	}
 
-	if d.MetadataURL != "" {
-		if _, err := url.Parse(d.MetadataURL); err != nil {
-			return errors.Wrap(err, "validating metadata_url")
-		}
+	if d.MetadataURL == "" {
+		return fmt.Errorf("missing metadata-url")
+	}
+	if _, err := url.Parse(d.MetadataURL); err != nil {
+		return errors.Wrap(err, "validating metadata_url")
 	}
 
 	if d.ConfigDir == "" {

config/config_test.go

@@ -15,7 +15,6 @@
 package config
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -33,6 +32,7 @@ func getDefaultSectionConfig(configDir string) Default {
 	return Default{
 		ConfigDir:   configDir,
 		CallbackURL: "https://garm.example.com/",
+		MetadataURL: "https://garm.example.com/api/v1/metadata",
 		LogFile:     filepath.Join(configDir, "garm.log"),
 	}
 }
@@ -105,7 +105,7 @@ func getDefaultJWTCofig() JWTAuth {
 }
 
 func getDefaultConfig(t *testing.T) Config {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
@@ -129,7 +129,7 @@ func TestConfig(t *testing.T) {
 }
 
 func TestDefaultSectionConfig(t *testing.T) {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
@@ -150,14 +150,25 @@ func TestDefaultSectionConfig(t *testing.T) {
 			name: "CallbackURL cannot be empty",
 			cfg: Default{
 				CallbackURL: "",
+				MetadataURL: cfg.MetadataURL,
 				ConfigDir:   cfg.ConfigDir,
 			},
 			errString: "missing callback_url",
 		},
+		{
+			name: "MetadataURL cannot be empty",
+			cfg: Default{
+				CallbackURL: cfg.CallbackURL,
+				MetadataURL: "",
+				ConfigDir:   cfg.ConfigDir,
+			},
+			errString: "missing metadata-url",
+		},
 		{
 			name: "ConfigDir cannot be empty",
 			cfg: Default{
 				CallbackURL: cfg.CallbackURL,
+				MetadataURL: cfg.MetadataURL,
 				ConfigDir:   "",
 			},
 			errString: "config_dir cannot be empty",
@@ -166,6 +177,7 @@ func TestDefaultSectionConfig(t *testing.T) {
 			name: "config_dir must exist and be accessible",
 			cfg: Default{
 				CallbackURL: cfg.CallbackURL,
+				MetadataURL: cfg.MetadataURL,
 				ConfigDir:   "/i/do/not/exist",
 			},
 			errString: "accessing config dir: stat /i/do/not/exist:.*",
@@ -306,14 +318,14 @@ func TestAPITLSconfig(t *testing.T) {
 }
 
 func TestTLSConfig(t *testing.T) {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
 	t.Cleanup(func() { os.RemoveAll(dir) })
 
 	invalidCert := filepath.Join(dir, "invalid_cert.pem")
-	err = ioutil.WriteFile(invalidCert, []byte("bogus content"), 0755)
+	err = os.WriteFile(invalidCert, []byte("bogus content"), 0755)
 	if err != nil {
 		t.Fatalf("failed to write file: %s", err)
 	}
@@ -396,7 +408,7 @@ func TestTLSConfig(t *testing.T) {
 }
 
 func TestDatabaseConfig(t *testing.T) {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
@@ -503,7 +515,7 @@ func TestDatabaseConfig(t *testing.T) {
 }
 
 func TestGormParams(t *testing.T) {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
@@ -527,7 +539,7 @@ func TestGormParams(t *testing.T) {
 }
 
 func TestSQLiteConfig(t *testing.T) {
-	dir, err := ioutil.TempDir("", "garm-config-test")
+	dir, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
@@ -676,7 +688,7 @@ func TestNewConfig(t *testing.T) {
 }
 
 func TestNewConfigEmptyConfigDir(t *testing.T) {
-	dirPath, err := ioutil.TempDir("", "garm-config-test")
+	dirPath, err := os.MkdirTemp("", "garm-config-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}

config/external_test.go

@@ -16,7 +16,6 @@ package config
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -25,13 +24,13 @@ import (
 )
 
 func getDefaultExternalConfig(t *testing.T) External {
-	dir, err := ioutil.TempDir("", "garm-test")
+	dir, err := os.MkdirTemp("", "garm-test")
 	if err != nil {
 		t.Fatalf("failed to create temporary directory: %s", err)
 	}
 	t.Cleanup(func() { os.RemoveAll(dir) })
 
-	err = ioutil.WriteFile(filepath.Join(dir, "garm-external-provider"), []byte{}, 0755)
+	err = os.WriteFile(filepath.Join(dir, "garm-external-provider"), []byte{}, 0755)
 	if err != nil {
 		t.Fatalf("failed to write file: %s", err)
 	}

config/testdata/test-empty-config-dir.toml

@@ -1,5 +1,6 @@
 [default]
   callback_url = "https://garm.example.com/"
+  metadata_url = "https://garm.example.com/"
   config_dir = ""
 
 [apiserver]

config/testdata/test-valid-config.toml

@@ -1,5 +1,6 @@
 [default]
   callback_url = "https://garm.example.com/"
+  metadata_url = "https://garm.example.com/"
   config_dir = "./testdata"
 
 [apiserver]

contrib/providers.d/openstack/garm-external-provider

@@ -191,7 +191,7 @@ function repoURL() {
     echo "${REPO}"
 }
 
-function getRegistrationTokenFromAPI() {
+function ghAccessToken() {
     TOKEN_URL=$(runnerTokenURL)
     BEARER_TOKEN=$(callbackToken)
     TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${TOKEN_URL}")
@@ -199,15 +199,6 @@ function getRegistrationTokenFromAPI() {
     echo "${TOKEN}"
 }
 
-function ghAccessToken() {
-    TOKEN=$(echo "$INPUT" | jq -c -r '.github_runner_access_token')
-    if [ -z "$TOKEN" ];then
-        TOKEN=$(getRegistrationTokenFromAPI)
-    fi
-    checkValNotNull "${TOKEN}" "github_runner_access_token" || return $?
-    echo "${TOKEN}"
-}
-
 function callbackURL() {
     CB_URL=$(echo "$INPUT" | jq -c -r '."callback-url"')
     checkValNotNull "${CB_URL}" "callback-url" || return $?

database/common/mocks/Store.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 

database/sql/enterprise.go

@@ -250,13 +250,6 @@ func (s *sqlDatabase) ListEnterpriseInstances(ctx context.Context, enterpriseID
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
-			if instance.GithubRegistrationToken != nil {
-				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-				if err != nil {
-					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
-				}
-				instance.GithubRegistrationToken = []byte(decodedTk)
-			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}

database/sql/instances.go

@@ -16,10 +16,8 @@ package sql
 
 import (
 	"context"
-	"fmt"
 	runnerErrors "garm/errors"
 	"garm/params"
-	"garm/util"
 
 	"github.com/pkg/errors"
 	uuid "github.com/satori/go.uuid"
@@ -32,36 +30,22 @@ func (s *sqlDatabase) CreateInstance(ctx context.Context, poolID string, param p
 	if err != nil {
 		return params.Instance{}, errors.Wrap(err, "fetching pool")
 	}
-	var ghToken []byte
-	if param.GithubRegistrationToken != nil {
-		ghToken, err = util.Aes256EncodeString(string(param.GithubRegistrationToken), s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, fmt.Errorf("failed to encrypt gh token")
-		}
-	}
+
 	newInstance := Instance{
-		Pool:                    pool,
-		Name:                    param.Name,
-		Status:                  param.Status,
-		RunnerStatus:            param.RunnerStatus,
-		OSType:                  param.OSType,
-		OSArch:                  param.OSArch,
-		CallbackURL:             param.CallbackURL,
-		MetadataURL:             param.MetadataURL,
-		GithubRegistrationToken: ghToken,
+		Pool:         pool,
+		Name:         param.Name,
+		Status:       param.Status,
+		RunnerStatus: param.RunnerStatus,
+		OSType:       param.OSType,
+		OSArch:       param.OSArch,
+		CallbackURL:  param.CallbackURL,
+		MetadataURL:  param.MetadataURL,
 	}
 	q := s.conn.Create(&newInstance)
 	if q.Error != nil {
 		return params.Instance{}, errors.Wrap(q.Error, "creating instance")
 	}
 
-	if newInstance.GithubRegistrationToken != nil {
-		decodedTk, err := util.Aes256DecodeString(newInstance.GithubRegistrationToken, s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
-		}
-		newInstance.GithubRegistrationToken = []byte(decodedTk)
-	}
 	return s.sqlToParamsInstance(newInstance), nil
 }
 
@@ -131,20 +115,6 @@ func (s *sqlDatabase) GetPoolInstanceByName(ctx context.Context, poolID string,
 		return params.Instance{}, errors.Wrap(err, "fetching instance")
 	}
 
-	if instance.GithubRegistrationToken != nil {
-		token, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, errors.Wrap(err, "decoing token")
-		}
-		instance.GithubRegistrationToken = []byte(token)
-	}
-	if instance.GithubRegistrationToken != nil {
-		decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
-		}
-		instance.GithubRegistrationToken = []byte(decodedTk)
-	}
 	return s.sqlToParamsInstance(instance), nil
 }
 
@@ -154,13 +124,6 @@ func (s *sqlDatabase) GetInstanceByName(ctx context.Context, instanceName string
 		return params.Instance{}, errors.Wrap(err, "fetching instance")
 	}
 
-	if instance.GithubRegistrationToken != nil {
-		token, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, errors.Wrap(err, "decoing token")
-		}
-		instance.GithubRegistrationToken = []byte(token)
-	}
 	return s.sqlToParamsInstance(instance), nil
 }
 
@@ -246,13 +209,7 @@ func (s *sqlDatabase) UpdateInstance(ctx context.Context, instanceID string, par
 			return params.Instance{}, errors.Wrap(err, "updating addresses")
 		}
 	}
-	if instance.GithubRegistrationToken != nil {
-		decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-		if err != nil {
-			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
-		}
-		instance.GithubRegistrationToken = []byte(decodedTk)
-	}
+
 	return s.sqlToParamsInstance(instance), nil
 }
 
@@ -264,13 +221,6 @@ func (s *sqlDatabase) ListPoolInstances(ctx context.Context, poolID string) ([]p
 
 	ret := make([]params.Instance, len(pool.Instances))
 	for idx, inst := range pool.Instances {
-		if inst.GithubRegistrationToken != nil {
-			decodedTk, err := util.Aes256DecodeString(inst.GithubRegistrationToken, s.cfg.Passphrase)
-			if err != nil {
-				return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
-			}
-			inst.GithubRegistrationToken = []byte(decodedTk)
-		}
 		ret[idx] = s.sqlToParamsInstance(inst)
 	}
 	return ret, nil
@@ -285,13 +235,6 @@ func (s *sqlDatabase) ListAllInstances(ctx context.Context) ([]params.Instance,
 	}
 	ret := make([]params.Instance, len(instances))
 	for idx, instance := range instances {
-		if instance.GithubRegistrationToken != nil {
-			decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-			if err != nil {
-				return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
-			}
-			instance.GithubRegistrationToken = []byte(decodedTk)
-		}
 		ret[idx] = s.sqlToParamsInstance(instance)
 	}
 	return ret, nil

database/sql/models.go

@@ -127,21 +127,20 @@ type InstanceStatusUpdate struct {
 type Instance struct {
 	Base
 
-	ProviderID              *string `gorm:"uniqueIndex"`
-	Name                    string  `gorm:"uniqueIndex"`
-	AgentID                 int64
-	OSType                  config.OSType
-	OSArch                  config.OSArch
-	OSName                  string
-	OSVersion               string
-	Addresses               []Address `gorm:"foreignKey:InstanceID"`
-	Status                  common.InstanceStatus
-	RunnerStatus            common.RunnerStatus
-	CallbackURL             string
-	MetadataURL             string
-	ProviderFault           []byte `gorm:"type:longblob"`
-	CreateAttempt           int
-	GithubRegistrationToken []byte `gorm:"type:longblob"`
+	ProviderID    *string `gorm:"uniqueIndex"`
+	Name          string  `gorm:"uniqueIndex"`
+	AgentID       int64
+	OSType        config.OSType
+	OSArch        config.OSArch
+	OSName        string
+	OSVersion     string
+	Addresses     []Address `gorm:"foreignKey:InstanceID"`
+	Status        common.InstanceStatus
+	RunnerStatus  common.RunnerStatus
+	CallbackURL   string
+	MetadataURL   string
+	ProviderFault []byte `gorm:"type:longblob"`
+	CreateAttempt int
 
 	PoolID uuid.UUID
 	Pool   Pool `gorm:"foreignKey:PoolID"`

database/sql/organizations.go

@@ -255,13 +255,6 @@ func (s *sqlDatabase) ListOrgInstances(ctx context.Context, orgID string) ([]par
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
-			if instance.GithubRegistrationToken != nil {
-				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-				if err != nil {
-					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
-				}
-				instance.GithubRegistrationToken = []byte(decodedTk)
-			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}

database/sql/repositories.go

@@ -264,13 +264,6 @@ func (s *sqlDatabase) ListRepoInstances(ctx context.Context, repoID string) ([]p
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
-			if instance.GithubRegistrationToken != nil {
-				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
-				if err != nil {
-					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
-				}
-				instance.GithubRegistrationToken = []byte(decodedTk)
-			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}

database/sql/util.go

@@ -29,23 +29,22 @@ func (s *sqlDatabase) sqlToParamsInstance(instance Instance) params.Instance {
 		id = *instance.ProviderID
 	}
 	ret := params.Instance{
-		ID:                      instance.ID.String(),
-		ProviderID:              id,
-		AgentID:                 instance.AgentID,
-		Name:                    instance.Name,
-		OSType:                  instance.OSType,
-		OSName:                  instance.OSName,
-		OSVersion:               instance.OSVersion,
-		OSArch:                  instance.OSArch,
-		Status:                  instance.Status,
-		RunnerStatus:            instance.RunnerStatus,
-		PoolID:                  instance.PoolID.String(),
-		CallbackURL:             instance.CallbackURL,
-		MetadataURL:             instance.MetadataURL,
-		StatusMessages:          []params.StatusMessage{},
-		CreateAttempt:           instance.CreateAttempt,
-		UpdatedAt:               instance.UpdatedAt,
-		GithubRegistrationToken: instance.GithubRegistrationToken,
+		ID:             instance.ID.String(),
+		ProviderID:     id,
+		AgentID:        instance.AgentID,
+		Name:           instance.Name,
+		OSType:         instance.OSType,
+		OSName:         instance.OSName,
+		OSVersion:      instance.OSVersion,
+		OSArch:         instance.OSArch,
+		Status:         instance.Status,
+		RunnerStatus:   instance.RunnerStatus,
+		PoolID:         instance.PoolID.String(),
+		CallbackURL:    instance.CallbackURL,
+		MetadataURL:    instance.MetadataURL,
+		StatusMessages: []params.StatusMessage{},
+		CreateAttempt:  instance.CreateAttempt,
+		UpdatedAt:      instance.UpdatedAt,
 	}
 
 	if len(instance.ProviderFault) > 0 {

params/params.go

@@ -76,10 +76,9 @@ type Instance struct {
 	UpdatedAt      time.Time       `json:"updated_at"`
 
 	// Do not serialize sensitive info.
-	CallbackURL             string `json:"-"`
-	MetadataURL             string `json:"-"`
-	CreateAttempt           int    `json:"-"`
-	GithubRegistrationToken []byte `json:"-"`
+	CallbackURL   string `json:"-"`
+	MetadataURL   string `json:"-"`
+	CreateAttempt int    `json:"-"`
 }
 
 func (i Instance) GetName() string {
@@ -95,9 +94,6 @@ type BootstrapInstance struct {
 	Tools []*github.RunnerApplicationDownload `json:"tools"`
 	// RepoURL is the URL the github runner agent needs to configure itself.
 	RepoURL string `json:"repo_url"`
-	// GithubRunnerAccessToken is the token we fetch from github to allow the runner to
-	// register itself.
-	GithubRunnerAccessToken string `json:"github_runner_access_token"`
 	// CallbackUrl is the URL where the instance can send a post, signaling
 	// progress or status.
 	CallbackURL string `json:"callback-url"`

runner/common/mocks/GithubClient.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 

runner/common/mocks/GithubEnterpriseClient.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 

runner/common/mocks/PoolManager.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 
@@ -27,6 +27,27 @@ func (_m *PoolManager) ForceDeleteRunner(runner params.Instance) error {
 	return r0
 }
 
+// GithubRunnerRegistrationToken provides a mock function with given fields:
+func (_m *PoolManager) GithubRunnerRegistrationToken() (string, error) {
+	ret := _m.Called()
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func() string); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // HandleWorkflowJob provides a mock function with given fields: job
 func (_m *PoolManager) HandleWorkflowJob(job params.WorkflowJob) error {
 	ret := _m.Called(job)

runner/common/mocks/Provider.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 

runner/common/pool.go

@@ -43,6 +43,7 @@ const (
 type PoolManager interface {
 	ID() string
 	WebhookSecret() string
+	GithubRunnerRegistrationToken() (string, error)
 	HandleWorkflowJob(job params.WorkflowJob) error
 	RefreshState(param params.UpdatePoolStateParams) error
 	ForceDeleteRunner(runner params.Instance) error

runner/mocks/PoolManagerController.go

@@ -1,4 +1,4 @@
-// Code generated by mockery v2.14.0. DO NOT EDIT.
+// Code generated by mockery v2.15.0. DO NOT EDIT.
 
 package mocks
 

runner/pool/pool.go

@@ -522,19 +522,6 @@ func (r *basePoolManager) addInstanceToProvider(instance params.Instance) error
 	labels = append(labels, r.controllerLabel())
 	labels = append(labels, r.poolLabel(pool.ID))
 
-	if instance.GithubRegistrationToken == nil {
-		tk, err := r.helper.GetGithubRegistrationToken()
-		if err != nil {
-			if errors.Is(err, runnerErrors.ErrUnauthorized) {
-				failureReason := fmt.Sprintf("failed to fetch registration token: %q", err)
-				r.setPoolRunningState(false, failureReason)
-				log.Print(failureReason)
-			}
-			return errors.Wrap(err, "fetching registration token")
-		}
-		instance.GithubRegistrationToken = []byte(tk)
-	}
-
 	jwtValidity := pool.RunnerTimeout()
 	var poolType common.PoolType = common.RepositoryPool
 	if pool.OrgID != "" {
@@ -562,10 +549,6 @@ func (r *basePoolManager) addInstanceToProvider(instance params.Instance) error
 		CACertBundle:  r.credsDetails.CABundle,
 	}
 
-	if instance.MetadataURL == "" {
-		bootstrapArgs.GithubRunnerAccessToken = string(instance.GithubRegistrationToken)
-	}
-
 	var instanceIDToDelete string
 
 	defer func() {
@@ -986,6 +969,10 @@ func (r *basePoolManager) WebhookSecret() string {
 	return r.helper.WebhookSecret()
 }
 
+func (r *basePoolManager) GithubRunnerRegistrationToken() (string, error) {
+	return r.helper.GetGithubRegistrationToken()
+}
+
 func (r *basePoolManager) ID() string {
 	return r.helper.ID()
 }

runner/providers/external/util.go

@@ -29,7 +29,6 @@ func bootstrapParamsToEnv(param params.BootstrapInstance) []string {
 		fmt.Sprintf("%s_BOOTSTRAP_CALLBACK_URL='%s'", envPrefix, param.CallbackURL),
 		fmt.Sprintf("%s_BOOTSTRAP_REPO_URL='%s'", envPrefix, param.RepoURL),
 		fmt.Sprintf("%s_BOOTSTRAP_LABELS='%s'", envPrefix, strings.Join(param.Labels, ",")),
-		fmt.Sprintf("%s_BOOTSTRAP_GITHUB_ACCESS_TOKEN='%s'", envPrefix, param.GithubRunnerAccessToken),
 	}
 
 	for idx, tool := range param.Tools {

runner/runner.go

@@ -724,8 +724,8 @@ func (r *Runner) AddInstanceStatusMessage(ctx context.Context, param params.Inst
 }
 
 func (r *Runner) GetInstanceGithubRegistrationToken(ctx context.Context) (string, error) {
-	instanceID := auth.InstanceID(ctx)
-	if instanceID == "" {
+	instanceName := auth.InstanceName(ctx)
+	if instanceName == "" {
 		return "", runnerErrors.ErrUnauthorized
 	}
 
@@ -733,10 +733,65 @@ func (r *Runner) GetInstanceGithubRegistrationToken(ctx context.Context) (string
 	if status != providerCommon.RunnerPending && status != providerCommon.RunnerInstalling {
 		return "", runnerErrors.ErrUnauthorized
 	}
-	token := auth.InstanceGithubToken(ctx)
+
+	instance, err := r.store.GetInstanceByName(ctx, instanceName)
+	if err != nil {
+		return "", errors.Wrap(err, "fetching instance")
+	}
+
+	poolMgr, err := r.getPoolManagerFromInstance(ctx, instance)
+	if err != nil {
+		return "", errors.Wrap(err, "fetching pool manager for instance")
+	}
+
+	token, err := poolMgr.GithubRunnerRegistrationToken()
+	if err != nil {
+		return "", errors.Wrap(err, "fetching runner token")
+	}
+
 	return token, nil
 }
 
+func (r *Runner) getPoolManagerFromInstance(ctx context.Context, instance params.Instance) (common.PoolManager, error) {
+	pool, err := r.store.GetPoolByID(ctx, instance.PoolID)
+	if err != nil {
+		return nil, errors.Wrap(err, "fetching pool")
+	}
+
+	var poolMgr common.PoolManager
+
+	if pool.RepoID != "" {
+		repo, err := r.store.GetRepositoryByID(ctx, pool.RepoID)
+		if err != nil {
+			return nil, errors.Wrap(err, "fetching repo")
+		}
+		poolMgr, err = r.findRepoPoolManager(repo.Owner, repo.Name)
+		if err != nil {
+			return nil, errors.Wrapf(err, "fetching pool manager for repo %s", pool.RepoName)
+		}
+	} else if pool.OrgID != "" {
+		org, err := r.store.GetOrganizationByID(ctx, pool.OrgID)
+		if err != nil {
+			return nil, errors.Wrap(err, "fetching org")
+		}
+		poolMgr, err = r.findOrgPoolManager(org.Name)
+		if err != nil {
+			return nil, errors.Wrapf(err, "fetching pool manager for org %s", pool.OrgName)
+		}
+	} else if pool.EnterpriseID != "" {
+		enterprise, err := r.store.GetEnterpriseByID(ctx, pool.EnterpriseID)
+		if err != nil {
+			return nil, errors.Wrap(err, "fetching enterprise")
+		}
+		poolMgr, err = r.findEnterprisePoolManager(enterprise.Name)
+		if err != nil {
+			return nil, errors.Wrapf(err, "fetching pool manager for enterprise %s", pool.EnterpriseName)
+		}
+	}
+
+	return poolMgr, nil
+}
+
 func (r *Runner) ForceDeleteRunner(ctx context.Context, instanceName string) error {
 	if !auth.IsAdmin(ctx) {
 		return runnerErrors.ErrUnauthorized
@@ -747,46 +802,9 @@ func (r *Runner) ForceDeleteRunner(ctx context.Context, instanceName string) err
 		return errors.Wrap(err, "fetching instance")
 	}
 
-	switch instance.Status {
-	case providerCommon.InstanceRunning, providerCommon.InstanceError:
-	default:
-		return runnerErrors.NewBadRequestError("runner must be in %q or %q state", providerCommon.InstanceRunning, providerCommon.InstanceError)
-	}
-
-	pool, err := r.store.GetPoolByID(ctx, instance.PoolID)
+	poolMgr, err := r.getPoolManagerFromInstance(ctx, instance)
 	if err != nil {
-		return errors.Wrap(err, "fetching pool")
-	}
-
-	var poolMgr common.PoolManager
-
-	if pool.RepoID != "" {
-		repo, err := r.store.GetRepositoryByID(ctx, pool.RepoID)
-		if err != nil {
-			return errors.Wrap(err, "fetching repo")
-		}
-		poolMgr, err = r.findRepoPoolManager(repo.Owner, repo.Name)
-		if err != nil {
-			return errors.Wrapf(err, "fetching pool manager for repo %s", pool.RepoName)
-		}
-	} else if pool.OrgID != "" {
-		org, err := r.store.GetOrganizationByID(ctx, pool.OrgID)
-		if err != nil {
-			return errors.Wrap(err, "fetching org")
-		}
-		poolMgr, err = r.findOrgPoolManager(org.Name)
-		if err != nil {
-			return errors.Wrapf(err, "fetching pool manager for org %s", pool.OrgName)
-		}
-	} else if pool.EnterpriseID != "" {
-		enterprise, err := r.store.GetEnterpriseByID(ctx, pool.EnterpriseID)
-		if err != nil {
-			return errors.Wrap(err, "fetching enterprise")
-		}
-		poolMgr, err = r.findEnterprisePoolManager(enterprise.Name)
-		if err != nil {
-			return errors.Wrapf(err, "fetching pool manager for enterprise %s", pool.EnterpriseName)
-		}
+		return errors.Wrap(err, "fetching pool manager for instance")
 	}
 
 	if err := poolMgr.ForceDeleteRunner(instance); err != nil {

util/util.go

@@ -222,11 +222,6 @@ func GetCloudConfig(bootstrapParams params.BootstrapInstance, tools github.Runne
 		CallbackToken:     bootstrapParams.InstanceToken,
 	}
 
-	if bootstrapParams.MetadataURL == "" {
-		// Token URL is not set. Add the GH runner registration token to userdata.
-		installRunnerParams.GithubToken = bootstrapParams.GithubRunnerAccessToken
-	}
-
 	installScript, err := cloudconfig.InstallRunnerScript(installRunnerParams)
 	if err != nil {
 		return "", errors.Wrap(err, "generating script")