Part of plan #15. Phase 3 — GitHub Token Hardening.
Problem
README.md currently recommends a classic PAT with repo scope for the github-token input. Classic PATs:
- Grant repo-wide permissions far beyond what self-hosted runner management needs.
- Are tied to a human user; when that person leaves the org, CI breaks or the token stays valid too long.
- Don't support least-privilege.
Target
- Preferred: GitHub App installation token. Scoped per-installation, no human identity, rotation handled by GitHub.
- Acceptable fallback: fine-grained PAT with only the permissions needed.
- Deprecated (keep accepting for compat): classic PAT.
Minimal permissions needed
For self-hosted runner registration / removal:
administration: write (repo or org scope — the path that the action calls /repos/{owner}/{repo}/actions/runners/registration-token and /remove-token requires this).- Nothing else.
Action-side changes
None to the code — the action consumes whatever token is passed, it doesn't care about the token type. This issue is docs + examples.
- Update
README.md to:
- List GitHub App token setup first (with a
actions/create-github-app-token@<sha> snippet).
- List fine-grained PAT setup second (with the exact permission:
administration: write).
- Keep classic PAT as a "legacy" option with a security note.
- Add a
docs/github-app.md with step-by-step: create the App, install on the repo, set secrets, use in workflow.
Consumer migration impact
For terraform-provider-namecheap:
- Rotate
secrets.GH_TOKEN from a classic PAT to either a GitHub App installation token or a fine-grained PAT with administration: write.
- No workflow-level changes beyond the secret value.
Acceptance criteria
Part of plan #15. Phase 3 — GitHub Token Hardening.
Problem
README.mdcurrently recommends a classic PAT withreposcope for thegithub-tokeninput. Classic PATs:Target
Minimal permissions needed
For self-hosted runner registration / removal:
administration: write(repo or org scope — the path that the action calls/repos/{owner}/{repo}/actions/runners/registration-tokenand/remove-tokenrequires this).Action-side changes
None to the code — the action consumes whatever token is passed, it doesn't care about the token type. This issue is docs + examples.
README.mdto:actions/create-github-app-token@<sha>snippet).administration: write).docs/github-app.mdwith step-by-step: create the App, install on the repo, set secrets, use in workflow.Consumer migration impact
For
terraform-provider-namecheap:secrets.GH_TOKENfrom a classic PAT to either a GitHub App installation token or a fine-grained PAT withadministration: write.Acceptance criteria
README.md"Usage" section leads with GitHub App token, fine-grained PAT second, classic PAT as deprecated option.docs/github-app.mdhas end-to-end setup instructions.