Skip to content
Latchkey

How to Rotate Self-Hosted Runner Registration Tokens in GitHub Actions

Registration tokens are short-lived by design, so the safe pattern is to mint a fresh one from the API at provisioning time rather than caching one.

Call the registration-token REST endpoint right before configuring a runner. The token expires in about an hour, so generating it just in time avoids storing a reusable secret.

Steps

  • Use a GitHub App or PAT with admin rights to mint tokens.
  • Call the registration-token endpoint at provisioning time.
  • Pass the returned token straight into config.sh.
  • Never persist the token; let it expire.

Mint and use a token

Terminal
TOKEN=$(curl -s -X POST \
  -H "Authorization: Bearer $GH_APP_TOKEN" \
  https://api.github.com/repos/my-org/my-repo/actions/runners/registration-token \
  | jq -r .token)

./config.sh --url https://github.com/my-org/my-repo \
  --token "$TOKEN" --ephemeral --unattended

Gotchas

  • Registration tokens expire in roughly one hour; mint them just in time, not ahead.
  • A separate remove-token endpoint deregisters a runner cleanly.
  • JIT runners go a step further by avoiding a reusable registration token altogether.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →