PAT limited only to allow calls to self-hosted-runners API


I have a service which issues organisation wide self-hosted runner registration-tokens.
The service access GH API with admin PAT in admin:org scope.
Then I launch runners dynamically and these runners call the service to get reg token and then register themselves with --token as usual.

I’d like to have admin PAT limited only to allow calls to self-hosted-runners API thus limiting blast radius
if ever service gets borked. Do you know if such thing is possible now or in near future? Or is there
some other way around this. Any ideas appreciated.

Best regards

Hi @petrilaakso , 

PAT doesn’t have a scope to org self-hosted runner only . I am afraid that I have to say there is no plan to add this new feature. 

The GitHub Self-hosted runners API is available for authenticated users, OAuth Apps, and GitHub Apps. GitHub App has an organization_self_hosted_runners permission . 

If it is possible for you to use GitHub App, you could set permission for it .  

There is the document for how to create a GitHub App . And there is the doc for authenticating with GitHub App