How to configure GitHub App authentication
GitHub App authentication is recommended for organization-wide deployments because it:
- Doesn’t expire — unlike PATs, no manual rotation needed
- Fine-grained permissions — scoped exactly to what the runner daemon needs
- Bound to the org — not tied to a personal account, survives employee offboarding
Step 1: Create a GitHub App
Section titled “Step 1: Create a GitHub App”- Go to your organization’s settings:
https://github.com/organizations/YOUR-ORG/settings/apps - Click New GitHub App
- Set the following:
- GitHub App name:
elastic-fruit-runner(or any name) - Homepage URL: your org’s URL
- Webhook: uncheck Active (not needed)
- GitHub App name:
- Under Permissions, set:
- Organization permissions > Self-hosted runners: Read and write
- Click Create GitHub App
Step 2: Generate a private key
Section titled “Step 2: Generate a private key”- On the App’s settings page, scroll to Private keys
- Click Generate a private key
- Save the downloaded
.pemfile to a secure location (e.g.,/etc/elastic-fruit-runner/private-key.pem)
Step 3: Install the App
Section titled “Step 3: Install the App”- On the App’s settings page, click Install App in the sidebar
- Select your organization
- Choose All repositories or select specific repositories
- Click Install
- Note the Installation ID from the URL:
https://github.com/organizations/YOUR-ORG/settings/installations/INSTALLATION_ID
Step 4: Note the Client ID
Section titled “Step 4: Note the Client ID”On the App’s settings page, find the Client ID (starts with Iv1.).
Step 5: Update configuration
Section titled “Step 5: Update configuration”Add the GitHub App credentials to your config file:
orgs: - org: your-org auth: github_app: client_id: Iv1.xxxxxxxxxxxxxxxx installation_id: 12345678 private_key_path: /path/to/private-key.pem runner_group: Default runner_sets: - name: efr-macos-arm64 backend: tart image: ghcr.io/cirruslabs/macos-tahoe-xcode:26.3 labels: [self-hosted, macos, arm64] max_runners: 2 - name: efr-linux-arm64 backend: docker image: ghcr.io/actions-runner-controller/actions-runner-controller/actions-runner-dind:latest labels: [self-hosted, linux, arm64] max_runners: 4 platform: linux/arm64 - name: efr-linux-amd64 backend: docker image: ghcr.io/actions-runner-controller/actions-runner-controller/actions-runner-dind:latest labels: [self-hosted, linux, amd64] max_runners: 4 platform: linux/amd64
idle_timeout: 15mStep 6: Restart the service
Section titled “Step 6: Restart the service”# macOSbrew services restart elastic-fruit-runner
# Linux (Docker)docker compose restart elastic-fruit-runnerTroubleshooting
Section titled “Troubleshooting”Permissions not saved
Section titled “Permissions not saved”When creating the GitHub App in the browser, Organization permissions (especially Self-hosted runners) may appear as “No access” if the page didn’t save correctly. Always verify at:
https://github.com/organizations/YOUR-ORG/settings/apps/APP-NAME/permissionsPermission changes require re-acceptance
Section titled “Permission changes require re-acceptance”After updating permissions on an existing GitHub App, you must go to the installation page and explicitly accept the new permissions. The approval banner will list all new/changed permissions. Until you accept, the App still operates with the old permissions.
Private key generation may need retry
Section titled “Private key generation may need retry”The “Generate a private key” button on the GitHub App settings page occasionally fails silently. If you don’t see a download prompt after clicking, scroll down and try again, or reload the page.