Github-runner: seeking advice


This is sort of a desperate re-post from GitHub to Discourse.

Does anyone have some tips for getting github-runner working with a properly stateful workDir?

I’ve tried to follow a pattern that was suggested to work, but signs are that it’s still not working. Any suggestions would be appreciated:


  runnerName = "${config.networking.hostName}-default";
  config = {
    sops.secrets = {
      "github-runner-token" = {
        owner = "cole";
        group = "cole";
        sopsFile = ../secrets/encrypted/github-runner-token;
        format = "binary";
      # see mixins/git.nix for github-colebot-sshkey
      "cachix_signkey_colemickens" = {
        mode = "0666";
        sopsFile = ../secrets/encrypted/cachix_signkey_colemickens;
        format = "binary";
    services = {
      github-runners = {
        "${runnerName}" = {
          enable = true;
          url = "";
          tokenFile = config.sops.secrets."github-runner-token".path;
          replace = true;
          name = runnerName;
          serviceOverrides.StateDirectory = [
            "github-runner/${runnerName}" # module default
          workDir = "/var/lib/github-runner/${runnerName}"; # TODO: make sure this works
          extraLabels = [ runnerName ];
Mar 17 23:59:59 raisin systemd[1]: Starting GitHub Actions runner...
Mar 18 00:00:00 raisin ([524799]: github-runner-raisin-default.service: Failed to set up mount namespacing: /var/lib/private/github-runner/raisin-default/.current-token: No such file or directory
Mar 18 00:00:00 raisin systemd[1]: github-runner-raisin-default.service: Control process exited, code=exited, status=226/NAMESPACE
Mar 18 00:00:00 raisin systemd[1]: github-runner-raisin-default.service: Failed with result 'exit-code'.
Mar 18 00:00:00 raisin systemd[1]: Failed to start GitHub Actions runner.

wow, it’s like the universe is confirming that now is the time to beg, what a timestamp. :pleading_face:

And then I’ve now re-validated that this looks to be what’s suggested in the GitHub comment, and still very much seems to not work. I’m not sure what’s going on with the “/var/lib/private” stuff exactly.

Actually, I forgot that this module is very explicitly written to wipe the workDir no matter what I do.

Though, again, still not seeing how workDir is meant to be used. Maybe workDir+tokenFile works if you’re not using something to symlink secrets but :confused: that seems bad and unlikely?

Maybe there could be a flake-ified out-of-tree module that:

  1. is always “stateless” in terms of re-registering the runner, so just remove all those fun startup scripts
  2. uses systemd service templates
  3. uses normal systemd service dirs

But also, I’d rather invest 10x energy into Typhon than spend any more with anything to do with GitHub or GitHub Actions.