ARC "failed to get registration token" (404) in CI
The ARC controller asked GitHub for a runner registration token and got a 404 Not Found. GitHub returns 404 (not 403) when the App or PAT cannot see the target, so the URL scope or the credential is wrong.
What this error means
The controller or listener logs "failed to get registration token" alongside a "404 Not Found" for the org, repo, or enterprise configured in githubConfigUrl. No runners register.
ERROR failed to get registration token
{"error": "POST https://api.github.com/orgs/acme/actions/runners/registration-token:
404 Not Found []"}Common causes
githubConfigUrl points at a scope the credential cannot see
The App is installed on a different org, or the URL names a repo the App/PAT has no access to. GitHub returns 404 rather than 403 to avoid leaking existence.
The GitHub App lacks the Actions/Administration permissions
Registration tokens require the App to have organization or repository self-hosted runner permissions. Without them the endpoint is invisible and returns 404.
How to fix it
Match githubConfigUrl to what the credential can access
- Confirm the App is installed on the exact org or repo in githubConfigUrl.
- For a PAT, confirm it has the org or repo admin scope for self-hosted runners.
- Reinstall the scale set values with the corrected URL and re-check listener logs.
helm upgrade arc-runner-set \
oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set \
--set githubConfigUrl="https://github.com/acme" \
--namespace arc-runnersGrant the App runner administration permission
In the GitHub App settings, set Organization > Self-hosted runners (or Administration for repos) to Read and write, then reinstall the App on the org.
How to prevent it
- Keep githubConfigUrl, the App installation, and the credential scope in sync.
- Prefer a GitHub App over a PAT so permissions are explicit and auditable.
- Verify the App has Self-hosted runners: Read and write before deploying.