feat: Option to register runners on organization instead of repo

setup/src/App.svelte

@@ -5,25 +5,34 @@
   let domain = 'INSERT_DOMAIN_HERE';
   let auth: undefined | 'newApp' | 'existingApp' | 'pat';
   let appScope: 'user' | 'org' = 'user';
+  let runnerLevel: 'repo' | 'org';
   let org = 'ORGANIZATION';
   let existingAppId: string = '';
   let existingAppPk: string = '';
   let pat: string = '';
   let success: boolean;
   let result: string | undefined;
 
+  const repositoryPermissions = {
+    actions: 'write',
+    administration: 'write',
+    deployments: 'read',
+  };
+
+  const organizationPermissions = {
+    actions: 'write',
+    organization_self_hosted_runners: 'write',
+    deployments: 'read',
+  };
+
   const manifest = {
     url: 'https://github.com/CloudSnorkel/cdk-github-runners',
     hook_attributes: {
       url: 'INSERT_WEBHOOK_URL_HERE',
     },
     redirect_url: 'INSERT_BASE_URL_HERE/complete-new-app',
     public: false,
-    default_permissions: {
-      actions: 'write',
-      administration: 'write',
-      deployments: 'read',
-    },
+    default_permissions: repositoryPermissions || organizationPermissions,
     default_events: [
       'workflow_job',
     ],
@@ -89,9 +98,10 @@
 
     function promise(): Promise<string> {
       const rightDomain = instance === 'ghes' ? domain : 'github.com';
+      manifest.default_permissions = runnerLevel === 'repo' ? repositoryPermissions : organizationPermissions;
       switch (auth) {
         case 'newApp':
-          return postJson('domain', { domain: rightDomain })
+          return postJson('domain', { domain: rightDomain, runnerLevel })
             .then(_ => {
               (document.getElementById('appform') as HTMLFormElement).submit();
               return Promise.resolve('Redirecting to GitHub...');
@@ -101,11 +111,13 @@
             appid: existingAppId,
             pk: existingAppPk,
             domain: rightDomain,
+            runnerLevel,
           });
         case 'pat':
           return postJson('pat', {
             pat: pat,
             domain: rightDomain,
+            runnerLevel,
           });
       }
     }
@@ -261,6 +273,48 @@
           </div>
         {/if}
 
+
+        <h3>Choose Registration Level</h3>
+        <div class="px-3 py-3">
+          <p>
+            You can configure the github app to register the runners at the
+            repository or organization level. <br>
+            The main difference are the
+            permissions assigned to the github app.<br>
+          </p>
+          <ul>
+            <li>
+              Repository level: the github app will
+              have full <b>administrative</b> access to the selected
+              repositories.
+            </li>
+            <li>
+              Organization level: the github app will have only the "self-hosted
+              github runner" permission to register runners in the organization. (Recommended for organizations)
+            </li>
+        </ul>
+          <div class="form-check">
+            <input
+              class="form-check-input"
+              type="radio"
+              bind:group={runnerLevel}
+              value="repo"
+              id="repo"
+            />
+            <label class="form-check-label" for="repo">Repository</label>
+          </div>
+          <div class="form-check">
+            <input
+              class="form-check-input"
+              type="radio"
+              bind:group={runnerLevel}
+              value="org"
+              id="org"
+            />
+            <label class="form-check-label" for="org">Organization</label>
+          </div>
+        </div>
+
         <h2>Finish Setup</h2>
         <div class="px-3 py-3">
           {#if result === undefined}

src/lambda-github.ts

@@ -13,6 +13,7 @@ export interface GitHubSecrets {
   domain: string;
   appId: number;
   personalAuthToken: string;
+  runnerLevel: string;
 }
 
 const octokitCache: {

src/providers/common.ts

@@ -326,6 +326,12 @@ export interface RunnerRuntimeParameters {
    * Path to repository name.
    */
   readonly repoPath: string;
+
+  /**
+   * Level to register runner at. Can be either 'repo' or 'org'.
+   */
+  readonly runnerLevel: string;
+
 }
 
 /**

src/providers/ec2.ts

@@ -60,11 +60,51 @@ EOF
   /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/tmp/log.conf || exit 2
 }
 action () {
-  if [ "$(< RUNNER_VERSION)" = "latest" ]; then RUNNER_FLAGS=""; else RUNNER_FLAGS="--disableupdate"; fi
-  sudo -Hu runner /home/runner/config.sh --unattended --url "https://{}/{}/{}" --token "{}" --ephemeral --work _work --labels "{},cdkghr:started:\`date +%s\`" $RUNNER_FLAGS --name "{}" || exit 1
+  # Define variables for injected parameters
+  taskToken="$1"
+  logGroupName="$2"
+  runnerNamePath="$3"
+  githubDomainPath="$4"
+  ownerPath="$5"
+  repoPath="$6"
+  runnerTokenPath="$7"
+  labels="$8"
+  runnerNamePath2="$9"
+  labels2="${10}"
+  runnerLevel="${11}"
+
+  # Determine the value of RUNNER_FLAGS
+  if [ "$(< RUNNER_VERSION)" = "latest" ]; then
+    RUNNER_FLAGS=""
+  else
+    RUNNER_FLAGS="--disableupdate"
+  fi
+
+  # Construct the URL and labels templates
+  url="https/$githubDomainPath/$ownerPath/$repoPath"
+  labelsTemplate="$labels,cdkghr:started:$(date +%s)"
+
+  # Define the registration URL based on runnerLevel
+  if [ "$runnerLevel" = "org" ]; then
+    registrationURL="https://$githubDomainPath/$ownerPath"
+  elif [ "$runnerLevel" = "repo" ]; then
+    registrationURL="https://$githubDomainPath/$ownerPath/$repoPath"
+  else
+    echo "Invalid runnerLevel: $runnerLevel"
+    exit 1
+  fi
+
+  # Execute the configuration command for runner registration
+  sudo -Hu runner /home/runner/config.sh --unattended --url "$registrationURL" --token "$runnerTokenPath" --ephemeral --work _work --labels "$labelsTemplate" $RUNNER_FLAGS --name "$runnerNamePath" || exit 1
+
+  # Execute the run command
   sudo --preserve-env=AWS_REGION -Hu runner /home/runner/run.sh || exit 2
-  STATUS=$(grep -Phors "finish job request for job [0-9a-f\\\\-]+ with result: \\\\K.*" /home/runner/_diag/ | tail -n1)
-  [ -n "$STATUS" ] && echo CDKGHA JOB DONE "{}" "$STATUS"
+
+  # Retrieve the status
+  STATUS=$(grep -Phors "finish job request for job [0-9a-f\\-]+ with result: \K.*" /home/runner/_diag/ | tail -n1)
+
+  # Check and print the job status
+  [ -n "$STATUS" ] && echo CDKGHA JOB DONE "$labels2" "$STATUS"
 }
 heartbeat &
 if setup_logs && action | tee /var/log/runner.log 2>&1; then
@@ -108,7 +148,7 @@ function setup_logs () {
 }
 function action () {
   cd /actions
-  $RunnerVersion = Get-Content RUNNER_VERSION -Raw 
+  $RunnerVersion = Get-Content RUNNER_VERSION -Raw
   if ($RunnerVersion -eq "latest") { $RunnerFlags = "" } else { $RunnerFlags = "--disableupdate" }
   ./config.cmd --unattended --url "https://{}/{}/{}" --token "{}" --ephemeral --work _work --labels "{},cdkghr:started:$(Get-Date -UFormat +%s)" $RunnerFlags --name "{}" 2>&1 | Out-File -Encoding ASCII -Append /actions/runner.log
   if ($LASTEXITCODE -ne 0) { return 1 }
@@ -366,6 +406,7 @@ export class Ec2RunnerProvider extends BaseProvider implements IRunnerProvider {
       this.labels.join(','),
       parameters.runnerNamePath,
       this.labels.join(','),
+      parameters.runnerLevel,
     ];
 
     const passUserData = new stepfunctions.Pass(this, `${this.labels.join(', ')} data`, {
@@ -390,7 +431,7 @@ export class Ec2RunnerProvider extends BaseProvider implements IRunnerProvider {
     const rootDeviceResource = amiRootDevice(this, this.ami.launchTemplate.launchTemplateId);
     rootDeviceResource.node.addDependency(this.amiBuilder);
     const subnetRunners = this.subnets.map((subnet, index) => {
-      return new stepfunctions_tasks.CallAwsService(this, `${this.labels.join(', ')} subnet${index+1}`, {
+      return new stepfunctions_tasks.CallAwsService(this, `${this.labels.join(', ')} subnet${index + 1}`, {
         comment: subnet.subnetId,
         integrationPattern: IntegrationPattern.WAIT_FOR_TASK_TOKEN,
         service: 'ec2',
@@ -442,7 +483,7 @@ export class Ec2RunnerProvider extends BaseProvider implements IRunnerProvider {
 
     // chain up the rest of the subnets
     for (let i = 1; i < subnetRunners.length; i++) {
-      subnetRunners[i-1].addCatch(subnetRunners[i], {
+      subnetRunners[i - 1].addCatch(subnetRunners[i], {
         errors: ['Ec2.Ec2Exception', 'States.Timeout'],
         resultPath: stepfunctions.JsonPath.stringAt('$.lastSubnetError'),
       });

src/runner.ts

@@ -252,7 +252,7 @@ export class GitHubRunners extends Construct implements ec2.IConnectable {
   private readonly webhook: GithubWebhookHandler;
   private readonly orchestrator: stepfunctions.StateMachine;
   private readonly setupUrl: string;
-  private readonly extraLambdaEnv: {[p: string]: string} = {};
+  private readonly extraLambdaEnv: { [p: string]: string } = {};
   private readonly extraLambdaProps: lambda.FunctionOptions;
   private stateMachineLogGroup?: logs.LogGroup;
   private jobsCompletedMetricFilters?: logs.MetricFilter[];
@@ -369,6 +369,7 @@ export class GitHubRunners extends Construct implements ec2.IConnectable {
           githubDomainPath: stepfunctions.JsonPath.stringAt('$.runner.domain'),
           ownerPath: stepfunctions.JsonPath.stringAt('$.owner'),
           repoPath: stepfunctions.JsonPath.stringAt('$.repo'),
+          runnerLevel: stepfunctions.JsonPath.stringAt('$.runner.runnerLevel'),
         },
       );
       providerChooser.when(

src/secrets.ts

@@ -56,6 +56,7 @@ export class Secrets extends Construct {
             domain: 'github.com',
             appId: '',
             personalAuthToken: '',
+            runnerLevel: 'repo',
           }),
           generateStringKey: 'dummy',
           includeSpace: false,

src/setup.lambda.ts

@@ -55,11 +55,14 @@ async function handleDomain(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewa
   if (!body.domain) {
     return response(400, 'Invalid domain');
   }
+  if (!body.runnerLevel) {
+    return response(400, 'Invalid runner regisration level');
+  }
 
   const githubSecrets: GitHubSecrets = await getSecretJsonValue(process.env.GITHUB_SECRET_ARN);
   githubSecrets.domain = body.domain;
+  githubSecrets.runnerLevel = body.runnerLevel;
   await updateSecretValue(process.env.GITHUB_SECRET_ARN, JSON.stringify(githubSecrets));
-
   return response(200, 'Domain set');
 }
 
@@ -68,26 +71,31 @@ async function handlePat(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewayPr
   if (!body.pat || !body.domain) {
     return response(400, 'Invalid personal access token');
   }
+  if (!body.runnerLevel) {
+    return response(400, 'Invalid runner regisration level');
+  }
 
   await updateSecretValue(process.env.GITHUB_SECRET_ARN, JSON.stringify(<GitHubSecrets>{
     domain: body.domain,
     appId: -1,
     personalAuthToken: body.pat,
+    runnerLevel: body.runnerLevel,
+
   }));
   await updateSecretValue(process.env.SETUP_SECRET_ARN, JSON.stringify({ token: '' }));
 
-  return response( 200, 'Personal access token set');
+  return response(200, 'Personal access token set');
 }
 
 async function handleNewApp(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewayProxyResultV2> {
   if (!event.queryStringParameters) {
-    return response( 400, 'Invalid code');
+    return response(400, 'Invalid code');
   }
 
   const code = event.queryStringParameters.code;
 
   if (!code) {
-    return response( 400, 'Invalid code');
+    return response(400, 'Invalid code');
   }
 
   const githubSecrets: GitHubSecrets = await getSecretJsonValue(process.env.GITHUB_SECRET_ARN);
@@ -105,25 +113,26 @@ async function handleNewApp(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewa
   }));
   await updateSecretValue(process.env.SETUP_SECRET_ARN, JSON.stringify({ token: '' }));
 
-  return response( 200, `New app set. <a href="${newApp.data.html_url}/installations/new">Install it</a> for your repositories.`);
+  return response(200, `New app set. <a href="${newApp.data.html_url}/installations/new">Install it</a> for your repositories.`);
 }
 
 async function handleExistingApp(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewayProxyResultV2> {
   const body = decodeBody(event);
 
-  if (!body.appid || !body.pk || !body.domain) {
-    return response( 400, 'Missing fields');
+  if (!body.appid || !body.pk || !body.domain || !body.runnerLevel) {
+    return response(400, 'Missing fields');
   }
 
   await updateSecretValue(process.env.GITHUB_SECRET_ARN, JSON.stringify(<GitHubSecrets>{
     domain: body.domain,
     appId: body.appid,
     personalAuthToken: '',
+    runnerLevel: body.runnerLevel,
   }));
   await updateSecretValue(process.env.GITHUB_PRIVATE_KEY_SECRET_ARN, body.pk as string);
   await updateSecretValue(process.env.SETUP_SECRET_ARN, JSON.stringify({ token: '' }));
 
-  return response( 200, 'Existing app set. Don\'t forget to set up the webhook.');
+  return response(200, 'Existing app set. Don\'t forget to set up the webhook.');
 }
 
 export async function handler(event: ApiGatewayEvent): Promise<AWSLambda.APIGatewayProxyResultV2> {

src/token-retriever.lambda.ts

@@ -1,5 +1,5 @@
 import { RequestError } from '@octokit/request-error';
-import { getOctokit } from './lambda-github';
+import { GitHubSecrets, getOctokit } from './lambda-github';
 import { StepFunctionLambdaInput } from './lambda-helpers';
 
 class RunnerTokenError extends Error {
@@ -18,14 +18,22 @@ export async function handler(event: StepFunctionLambdaInput) {
       octokit,
     } = await getOctokit(event.installationId);
 
-    const response = await octokit.rest.actions.createRegistrationTokenForRepo({
-      owner: event.owner,
-      repo: event.repo,
-    });
+    let response;
+    if ((githubSecrets as GitHubSecrets).runnerLevel === 'repo') {
+      response = await octokit.rest.actions.createRegistrationTokenForRepo({
+        owner: event.owner,
+        repo: event.repo,
+      });
+    } else if ((githubSecrets as GitHubSecrets).runnerLevel === 'org') {
+      response = await octokit.rest.actions.createRegistrationTokenForOrg({
+        org: event.owner,
+      });
+    }
 
     return {
       domain: githubSecrets.domain,
-      token: response.data.token,
+      runnerLevel: githubSecrets.runnerLevel,
+      token: response!.data.token,
     };
   } catch (error) {
     console.error(error);