I have a service which issues organisation wide self-hosted runner registration-tokens.
The service access GH API with admin PAT in admin:org scope.
Then I launch runners dynamically and these runners call the service to get reg token and then register themselves with config.sh --token as usual.
I’d like to have admin PAT limited only to allow calls to self-hosted-runners API thus limiting blast radius
if ever service gets borked. Do you know if such thing is possible now or in near future? Or is there
some other way around this. Any ideas appreciated.