How to Rotate Self-Hosted Runner Registration Tokens in GitHub Actions
Registration tokens are short-lived by design, so the safe pattern is to mint a fresh one from the API at provisioning time rather than caching one.
Call the registration-token REST endpoint right before configuring a runner. The token expires in about an hour, so generating it just in time avoids storing a reusable secret.
Steps
- Use a GitHub App or PAT with admin rights to mint tokens.
- Call the registration-token endpoint at provisioning time.
- Pass the returned token straight into
config.sh. - Never persist the token; let it expire.
Mint and use a token
Terminal
TOKEN=$(curl -s -X POST \
-H "Authorization: Bearer $GH_APP_TOKEN" \
https://api.github.com/repos/my-org/my-repo/actions/runners/registration-token \
| jq -r .token)
./config.sh --url https://github.com/my-org/my-repo \
--token "$TOKEN" --ephemeral --unattendedGotchas
- Registration tokens expire in roughly one hour; mint them just in time, not ahead.
- A separate remove-token endpoint deregisters a runner cleanly.
- JIT runners go a step further by avoiding a reusable registration token altogether.
Related guides
How to Use a Just-in-Time (JIT) Runner in GitHub ActionsCreate a just-in-time GitHub Actions runner with the REST API generate-jitconfig endpoint, so the runner is a…
How to Autoscale Self-Hosted Runners on AWS in GitHub ActionsAutoscale ephemeral self-hosted GitHub Actions runners on AWS with the philips-labs terraform-aws-github-runn…