From 5b7873ee9a933709d09991422dd16dcfa8a8c893 Mon Sep 17 00:00:00 2001
From: Nikola Jokic <jokicnikola07@gmail.com>
Date: Mon, 19 Jan 2026 14:33:48 +0100
Subject: [PATCH] noperm

---
 .../templates/_helpers.tpl                    | 57 ++++++++++++++++---
 .../templates/autoscalingrunnserset.yaml      | 16 ++++++
 .../no_permission_serviceaccount.yaml         | 14 +++++
 charts/gha-runner-scale-set-dev/values.yaml   |  7 +++
 4 files changed, 86 insertions(+), 8 deletions(-)
 create mode 100644 charts/gha-runner-scale-set-dev/templates/no_permission_serviceaccount.yaml

diff --git a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
index aeaedfcd..aa3510d3 100644
--- a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
@@ -2,7 +2,7 @@
 {{- define "autoscaling-runner-set.name" -}}
 {{- $name := .Values.runnerScaleSetName | default .Release.Name | replace "_" "-" | trimSuffix "-" }}
 {{- if or (empty $name) (gt (len $name) 45) }}
-{{ fail "Autoscaling runner set name must have up to 45 characters" }}
+  {{ fail "Autoscaling runner set name must have up to 45 characters" }}
 {{- end }}
 {{- $name }}
 {{- end }}
@@ -44,7 +44,7 @@ Reserved annotations are excluded from both levels.
 {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRole.metadata.annotations | default (dict))) | fromYaml -}}
 {{- $annotations := mergeOverwrite $global $resource -}}
 {{- if not (empty $annotations) -}}
-{{- toYaml $annotations }}
+  {{- toYaml $annotations }}
 {{- end }}
 {{- end }}
 
@@ -85,7 +85,7 @@ Reserved annotations are excluded from both levels.
 {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
 {{- $annotations := mergeOverwrite $global $resource -}}
 {{- if not (empty $annotations) -}}
-{{- toYaml $annotations }}
+  {{- toYaml $annotations }}
 {{- end }}
 {{- end }}
 
@@ -95,9 +95,9 @@ The name of the GitHub secret used for authentication.
 */}}
 {{- define "github-secret.name" -}}
 {{- if not (empty .Values.auth.secretName) -}}
-{{- .Values.auth.secretName -}}
+  {{- .Values.auth.secretName -}}
 {{- else -}}
-{{- include "autoscaling-runner-set.name" . }}-github-secret
+  {{- include "autoscaling-runner-set.name" . }}-github-secret
 {{- end -}}
 {{- end }}
 
@@ -122,7 +122,48 @@ Reserved annotations are excluded.
 {{- define "github-secret.annotations" -}}
 {{- $annotations := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
 {{- if not (empty $annotations) -}}
-{{- toYaml $annotations }}
+  {{- toYaml $annotations }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+The name of the no-permission ServiceAccount.
+
+This ServiceAccount is intended for non-kubernetes runner modes when the user
+has not specified an explicit ServiceAccount.
+*/}}
+{{- define "no-permission-serviceaccount.name" -}}
+{{- printf "%s-no-permission" (include "autoscaling-runner-set.name" .) -}}
+{{- end }}
+
+
+{{/*
+Create the labels for the no-permission ServiceAccount.
+*/}}
+{{- define "no-permission-serviceaccount.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "no-permission-serviceaccount" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+
+{{/*
+Create the annotations for the no-permission ServiceAccount.
+
+Order of precedence:
+1) resource.all.metadata.annotations
+2) resource.noPermissionServiceAccount.metadata.annotations
+Reserved annotations are excluded from both levels.
+*/}}
+{{- define "no-permission-serviceaccount.annotations" -}}
+{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.noPermissionServiceAccount.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $annotations := mergeOverwrite $global $resource -}}
+{{- if not (empty $annotations) -}}
+  {{- toYaml $annotations }}
 {{- end }}
 {{- end }}
 
@@ -182,7 +223,7 @@ Reserved annotations are excluded from both levels.
 {{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.autoscalingRunnerSet.metadata.annotations | default (dict))) | fromYaml -}}
 {{- $annotations := mergeOverwrite $global $resource -}}
 {{- if not (empty $annotations) -}}
-{{- toYaml $annotations }}
+  {{- toYaml $annotations }}
 {{- end }}
 {{- end }}
 
@@ -199,7 +240,7 @@ Container spec that is expanded for the runner container
 {{- define "container-spec.runner" -}}
 
 {{- if not .Values.runner.container }}
-{{ fail "You must provide a runner container specification in values.runner.container" }}
+  {{ fail "You must provide a runner container specification in values.runner.container" }}
 {{- end }}
 
 {{- $tlsConfig := (default (dict) .Values.githubServerTLS) -}}
diff --git a/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml b/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml
index 85733bbe..0e382081 100644
--- a/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml
+++ b/charts/gha-runner-scale-set-dev/templates/autoscalingrunnserset.yaml
@@ -8,6 +8,16 @@ metadata:
   annotations:
     {{- include "autoscaling-runner-set.annotations" . | nindent 4 }}
     actions.github.com/values-hash: {{ toJson .Values | sha256sum | trunc 63 }}
+    {{- $runnerMode := (.Values.runner.mode | default "") }}
+    {{- $usesKubernetesSecrets := or (not .Values.secretResolution) (eq .Values.secretResolution.type "kubernetes") }}
+    {{- if and $usesKubernetesSecrets (empty .Values.auth.secretName) }}
+    actions.github.com/cleanup-github-secret-name: {{ include "github-secret.name" . | quote }}
+    {{- end }}
+    actions.github.com/cleanup-manager-role-binding: {{ include "manager-role-binding.name" . | quote }}
+    actions.github.com/cleanup-manager-role-name: {{ include "manager-role.name" . | quote }}
+    {{- if ne $runnerMode "kubernetes" }}
+    actions.github.com/cleanup-no-permission-service-account-name: {{ include "no-permission-serviceaccount.name" . | quote }}
+    {{- end }}
 
 spec:
   githubConfigUrl: {{ required ".Values.auth.url is required" (trimSuffix "/" .Values.auth.url) | quote }}
@@ -96,6 +106,12 @@ spec:
 
   template:
     spec:
+      {{- $runnerMode := (.Values.runner.mode | default "") -}}
+      {{- if ne $runnerMode "kubernetes" }}
+      serviceAccountName: {{ include "no-permission-serviceaccount.name" . | quote }}
+      {{- else if not (empty .Values.runner.kubernetesMode.serviceAccountName) }}
+      serviceAccountName: {{ .Values.runner.kubernetesMode.serviceAccountName | quote }}
+      {{- end }}
       containers:
         - name: runner
           image: {{ .Values.runner.container.image | default "ghcr.io/actions/actions-runner:latest" | quote }}
diff --git a/charts/gha-runner-scale-set-dev/templates/no_permission_serviceaccount.yaml b/charts/gha-runner-scale-set-dev/templates/no_permission_serviceaccount.yaml
new file mode 100644
index 00000000..6a2d53a4
--- /dev/null
+++ b/charts/gha-runner-scale-set-dev/templates/no_permission_serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- $runnerMode := (.Values.runner.mode | default "") -}}
+{{- if ne $runnerMode "kubernetes" -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "no-permission-serviceaccount.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "no-permission-serviceaccount.labels" . | nindent 4 }}
+  annotations:
+    {{- include "no-permission-serviceaccount.annotations" . | nindent 4 }}
+  finalizers:
+    - actions.github.com/cleanup-protection
+{{- end }}
diff --git a/charts/gha-runner-scale-set-dev/values.yaml b/charts/gha-runner-scale-set-dev/values.yaml
index 6a759220..4fd081f9 100644
--- a/charts/gha-runner-scale-set-dev/values.yaml
+++ b/charts/gha-runner-scale-set-dev/values.yaml
@@ -116,6 +116,13 @@ resource:
       labels: {}
       annotations: {}
       
+  # Specifies metadata that will be applied to the no-permission ServiceAccount
+  # (created for non-kubernetes runner modes).
+  noPermissionServiceAccount:
+    metadata:
+      labels: {}
+      annotations: {}
+
   # TODO: Add more resource customizations when needed
 
 # Template applied for the runner container