Configuration Reference

Configuration Reference

Tokens, secrets, environment variables, and operations runbook for ci-autopilot.

Required GitHub Secrets

Secret	Required	Scopes	Description
GH_TOKEN	Yes (agent)	repo, workflow	Used by agent/poll_once.py to call GitHub REST API
RUNNER_PAT	Optional	repo, workflow, read:org	Used by health monitor if GITHUB_TOKEN lacks runner list permission
GITHUB_TOKEN	Auto-injected	Varies	Injected by GitHub Actions runner into each job; not manually configured

Token Scopes Reference

Scope	Required For
repo	Reading issues, creating issues, runner operations
workflow	Pushing workflow file changes (e.g., ci.yml)
read:org	Listing org-level runners
admin:org	Required by some org policies for runner registration

Environment Variables (Agent)

Variable	Default	Description
GH_TOKEN	—	GitHub token for API calls (preferred)
GITHUB_TOKEN	Auto	Injected by Actions runner; used as fallback
GITHUB_REPOSITORY	Coding-Autopilot-System/ci-autopilot	Full owner/repo string for target repo
GITHUB_OWNER	Coding-Autopilot-System	Owner (used if GITHUB_REPOSITORY not set)
GITHUB_REPO	ci-autopilot	Repo name (used if GITHUB_REPOSITORY not set)

Security Posture

• Use least-privilege tokens; only grant org scopes when required
• Restrict runner machine access to trusted administrators
• Store all secrets in GitHub Secrets — never on disk or in workflow files
• Prefer GitHub Actions logs as the authoritative audit trail
• Keep local host logs for forensic debugging only

Token Rotation

• Remove and re-register runners on a regular cadence or after an incident
• Registration and removal tokens are short-lived — always fetch fresh tokens immediately before use
• Rotate GH_TOKEN / RUNNER_PAT on a schedule or after any suspected compromise

Operations Runbook

Service Control (Windows)

cd C:\actions-runner
$serviceName = Get-Content .\.service
Get-Service -Name $serviceName       # Check status
Start-Service -Name $serviceName     # Start
Stop-Service -Name $serviceName      # Stop
Restart-Service -Name $serviceName   # Restart

Manually Trigger the Fixer

# Dispatch fixer.yml via workflow_dispatch
gh workflow run fixer.yml -R Coding-Autopilot-System/ci-autopilot

# Or via repository_dispatch event
gh api repos/Coding-Autopilot-System/ci-autopilot/dispatches \
  -f event_type=ci-autopilot

Check Runner Health

# List all runners and their status
gh api repos/Coding-Autopilot-System/ci-autopilot/actions/runners \
  -q '.runners[] | {name, status, online}'

Expected for a healthy runner: {"name":"MyLocalPC","status":"online","online":true}

Manually Trigger Runner Health Check

gh workflow run runner-health.yml -R Coding-Autopilot-System/ci-autopilot

Close Stale Issues Manually

# Close all open runner-offline issues
gh api --paginate \
  "repos/Coding-Autopilot-System/ci-autopilot/issues?state=open&labels=runner-offline&per_page=100" \
  --jq '.[].number' | \
  xargs -P 4 -I {} gh issue close {} \
    -R Coding-Autopilot-System/ci-autopilot \
    --reason "not planned"

Upgrade Runner Binaries

1. Stop the runner service
2. Unzip the new runner package into C:\actions-runner (same folder)
3. Start the service

Re-register Runner

See Setup Guide for the full remove + re-register sequence.

View Recent CI Runs

# Last 5 CI runs
gh run list -R Coding-Autopilot-System/ci-autopilot --workflow=ci.yml --limit 5

# Check if latest CI run passed
gh run list -R Coding-Autopilot-System/ci-autopilot --workflow=ci.yml \
  --limit 1 --json conclusion --jq '.[0].conclusion'

Related Documentation

• docs/security.md — Full security posture source
• docs/operations.md — Full operations runbook source
• Architecture — System design and component overview
• Setup Guide — Runner registration and prerequisites