GitHub App: 404 on repo-level registration token when using enterprise-level app installation

[kacpercesarz98]

Description

When using a GitHub App created at the enterprise level and installed in an organization, ARC returns a 404 error when attempting to register a runner at the repository scope (githubConfigUrl pointing to a specific repo). The same app credentials work correctly for organization-scope registration.

Environment

• ARC version: 0.13.1 (gha-runner-scale-set + gha-runner-scale-set-controller)
• GitHub: GitHub Enterprise Cloud (github.com)
• Kubernetes: GKE

GitHub App Configuration

• App created at the enterprise level
• Installed in the organization with "All repositories" access
• Permissions:
  • Repository > Administration: Read and write
  • Repository > Metadata: Read-only
  • Repository > Code: Read
  • Organization > Self-hosted runners: Read and write

Working Configuration (org-level)

apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
spec:
  githubConfigUrl: https://github.com/<org>
  githubConfigSecret: enterprise-app-secret

This registers successfully and the runner picks up jobs.

Failing Configuration (repo-level)

apiVersion: actions.github.com/v1alpha1
kind: AutoscalingRunnerSet
spec:
  githubConfigUrl: https://github.com/<org>/<repo>
  githubConfigSecret: enterprise-app-secret  # same secret as above

Error

ERROR Reconciler error {"controller": "autoscalingrunnerset", ...,
  "error": "failed to create new actions service request: failed to issue update token if needed:
  failed to get runner registration token on refresh: github api error: StatusCode 404,
  RequestID \"...\": {\"message\":\"Not Found\",
  \"documentation_url\":\"https://docs.github.com/rest/actions/self-hosted-runners#create-a-registration-token-for-a-repository\",
  \"status\":\"404\"}"}

Analysis

ARC's fetchAccessToken in github/actions/client.go creates an installation access token via POST /app/installations/{id}/access_tokens with an empty request body (no repository scoping).

The returned token is then used to call:

• Org-level: POST /orgs/{org}/actions/runners/registration-token → 201 OK
• Repo-level: POST /repos/{org}/{repo}/actions/runners/registration-token → 404 Not Found

Both endpoints use the same installation access token. The app has Administration: Read and write permission and "All repositories" access, so the repo-level endpoint should succeed.

Important: A different GitHub App (installed directly at the org level, not enterprise level) works correctly for repo-level registration on the same repository with the same permissions. This suggests the issue is specific to how enterprise-level app installations generate access tokens or how GitHub resolves permissions for enterprise app tokens on repo-level endpoints.

Workaround

Use organization-level githubConfigUrl instead of repository-level when authenticating with an enterprise-level GitHub App.

Expected Behavior

Enterprise-level GitHub App installations with Repository > Administration: Read and write permission and "All repositories" access should be able to register runners at the repository scope, the same as org-level app installations.

[github-actions]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.