[Feature] ACA Runner migration from PAT to GitHub App #260
Description
Description
Update ACA GitHub runner to use GitHub App credentials instead of a PAT
User Story
As a DevOps engineer deploying Azure Container Apps GitHub runners
I want to authenticate using a GitHub App instead of a Personal Access Token
So that I can follow security best practices with short-lived tokens, avoid managing long-lived secrets, and eliminate the risk of PAT exposure in Terraform state.
Definition of Done
- ACA runners can deploy using only GitHub App credentials (App ID, Installation ID, Private Key)
- KEDA scaler authenticates to GitHub using the GitHub App instead of PAT
- Runners register and deregister reliably during scale up/down events
- No sensitive values are stored in Terraform state or outputs
- Private key can be sourced from Azure Key Vault for production deployments
- VM-based runners remain unchanged (continue using registration tokens)
- Documentation is updated with GitHub App setup instructionsValues Provided
This migration enhances security by eliminating long-lived PATs while maintaining full functionality for container-based GitHub runners.
Additional Information
High-Level Implementation Plan
- 🔧 Terraform Variables & Configuration
Add new sensitive variables for GitHub App authentication:
github_app_id, github_app_installation_id, github_app_private_key_base64
Remove PAT variables from ACA module entirely
Add validation to require GitHub App vars when github_runner_type == "aca"
Update Container Apps to use GitHub App secrets and environment variables - 🐳 Container Runtime Updates
Modify entrypoint script (entrypoint.sh):
Build JWT signed with App private key (RS256)
Exchange for GitHub installation access token
Use installation token for runner registration/removal
Implement secure key handling and cleanup
Update KEDA scaler to use GitHub App authentication parameters
Remove destroy provisioner and handle deregistration in container lifecycle - 🔒 Security Enhancements
Mark sensitive variables appropriately in Terraform
Support Azure Key Vault integration for private key storage
Implement secure token handling with proper cleanup and error handling
Add signal traps for graceful runner deregistration on termination - 📚 Documentation Updates
Create GitHub App setup guide with step-by-step instructions
Update security considerations to remove PAT references
Provide Terraform configuration examples for both dev and production
Add troubleshooting runbook for common authentication issues - 🧪 Testing & Validation
Functional testing: Deploy ACA runners with GitHub App auth
Scale testing: Verify KEDA scaling behavior works correctly
Security testing: Confirm no secrets in Terraform state
Regression testing: Ensure VM runners continue to work unchanged
Dependencies
KEDA >= 2.17 (for GitHub App authentication support)
GitHub App with appropriate repository permissions (Administration: R/W, Actions: R)
Migration Impact
Breaking change for ACA runners (PAT no longer supported)
No impact on VM runners
One-time setup required for GitHub App creation and installation