adding ARC runner at enterprise level to GHEC, 404

[alext-extracellular]

Why are you starting this discussion?

Error

What GitHub Actions topic or product is this about?

ARC (Actions Runner Controller)

Discussion Details

I am trying to setup ARC auto scale with on prem host and k8s cluster.
I am using enterprise managed users and github enterprise cloud, so my instance is hosted by github in EU region, and the url is like: <domain>.ghe.com

I have followed their instructions, but they do not mention any examples or details for adding runners at enterprise level, only giving examples for org level, however they say enterprise is possible.

I am authenticating with a PAT generated by the enterprise admin account, this has permissions RW on actions and RW on Administration. The Docs for this part mention permissions scopes that don't seem to exist anymore. for example, the word "enterprise" does not appear on this page. I am using a PAT because the docs say that Github Apps do not work for enterprise level.

I have tried making the PAT in the accounts both of the Enterprise Admin and the Enterprise Owner, same result. Both times the resource owner is that user, as the enterprise itself does not appear.

The runner set listener does not appear in k8s.

These are the logs from the controller:

2025-08-29T13:17:21Z	INFO	actions-clients	getting runner registration token	{"registrationTokenURL": "https://api.<domain>.ghe.com/enterprises/<domain>/actions/runners/registration-token"}
2025-08-29T13:17:22.077566138Z 2025-08-29T13:17:22Z	ERROR	AutoscalingRunnerSet	Failed to get runner scale set from Actions service	{"version": "0.12.1", "autoscalingrunnerset": {"name":"arc-runner-set","namespace":"arc-runners"}, "runnerGroupId": "1", "runnerScaleSetName": "arc-runner-set", "error": "failed to create new actions service request: failed to issue update token if needed: failed to get runner registration token on refresh: github api error: StatusCode 404, RequestID \"AA8D:2249DE:1575:E4E4:68B1A861\": {\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/actions/self-hosted-runners#create-a-registration-token-for-an-enterprise\",\"status\":\"404\"}"}

I have tested hitting this endpoint with curl, and it also gives back the 404. However, If I change the PAT to be incorrect, then it gives 401. So it seems the PAT is ok, but I suspect perhaps it does not have the right permissions. But with the docs not aligning to what I can see in the UI, I don't know which permissions to give it.

Any help would be greatly appreciated.

[agace]

@alext-extracellular,

First off, let's talk about that URL in your logs. It's trying to call home to api.<domain>.ghe.com. Now, here's the thing: that specific api subdomain is the default address for a GitHub Enterprise Server installation. Your instance, however, is GitHub Enterprise Cloud, which uses a different address. It's a subtle distinction, but it makes all the difference. The controller is essentially knocking on the wrong door, which is why it's getting a "Not Found" response, even with the right key.

So, the fix for this is thankfully straightforward. We just need to gently guide the controller to the correct address. You'll want to add one specific line to your AutoscalingRunnerSet configuration:

spec:
  githubConfigUrl: https://<domain>.ghe.com/ 

Now, while we're at it, let's just double-check that PAT. You were right to suspect the permissions, the documentation can sometimes feel like it's playing catch-up. The administration scope is perfect for organization-level access, but for the enterprise level, it's best to create a token that is explicitly owned by the enterprise account itself, not your user.

When you create a new fine-grained token, just ensure the Resource owner is set to your enterprise, and it has those read and write permissions for both Administration and Actions.

I have a strong feeling that correcting the URL will get you most of the way there. Once you make that update, everything should start falling into place.

[alext-extracellular]

Hi, thanks for the response

the githubConfigUrl before was "https://<domain>.ghe.com/enterprises/<domain>/" I then changed it to "https://<domain>.ghe.com/" but that just said it was a malformed URL and needed a repo, org or enterprise. so I put it back. The "api" part is added by the application.

As for the PAT, can you be more specific? I have 3 accounts, one is the Enterprise Admin that is not tied to any IDP. second is the Enterprise Owner that is an IDP user with admin permissions. Thirdly is my personal account, also on the IDP. I have tried with the first two, and both have the same result.

Also, on both the Enterprise Owner and Enterprise Admin, it is not possible to change the Resource owner to anything other than that user.

[agace]

Sorry for the delay, @alext-extracellular

The githubConfigUrl needs to be the correct target endpoint.

You encountered this error because ARC is strict about what githubConfigUrl should point to:

• It must correspond to the actual GitHub resource, a repository, organization, or enterprise, that the runners will be attached to

• The Controller then infers the correct API endpoint (including adding /api/...) for calls like fetching registration tokens

Based on the docs and community feedback, valid examples include:

• https://github.com/<your_enterprise>/<your_org>/<repo> (per-repo)
• https://github.com/<your_enterprise>/<your_org> (organization)
• https://github.com/enterprises/<your_enterprise> (enterprise level)

In your case, since you're targeting enterprise-level runners, your githubConfigUrl should actually be:

https://github.com/enterprises/<your_enterprise>

not https://<domain>.ghe.com/enterprises/<domain>/, because that looks like a GitHub Enterprise Server style address, not the GitHub Cloud format. And https://<domain>.ghe.com/ alone is too generic and gets rejected as malformed.

Next step: Update your Helm manifest or values.yaml:

githubConfigUrl: "https://github.com/enterprises/<your_enterprise>"

Or in your Helm command:

--set githubConfigUrl="https://github.com/enterprises/<your_enterprise>"

The docs sometimes lag behind the UI, but users have had success using a classic PAT that includes the manage_runners:enterprise scope.

From GitHub discussion on Stack Overflow:

“I generated Personal Access Token (classic) with permission manage_runners:enterprise and all good. ARC was able to connect to enterprise.”

So:

• Create your PAT as a classic token, not a fine-grained token.
• Ensure Resource owner is indeed the enterprise account (given that's how the classic PAT behaves).
• Include at least the manage_runners:enterprise scope.

If you're using fine-grained tokens, they currently don’t support that enterprise runner management scope, and indeed, you’ve noted that you can't change the resource owner anyway.

[alext-extracellular]

The URL is correct, I am using github enterprise cloud, with enterprise managed users, with data residency in the EU. That is the correct url where I log in to.
However your other tip was what I needed! It needs to be a classic token and not a fine-grained token. I must have missed this when reading the docs. confusing that GH has 3 different ways to authenticate and they are all at various stages of support. Thanks for your help, I have the runner available across the enterprise now :)

[agace]

Glad to hear it's working, happy I could help.