From 36550aafd5c54ddc8490b0d928ca171184c8c30e Mon Sep 17 00:00:00 2001
From: Hunter Halloran <hdhdog@live.com>
Date: Wed, 17 Dec 2025 11:22:01 -0500
Subject: [PATCH] gh runner cleanup

---
 sw/builders/services.nix | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/sw/builders/services.nix b/sw/builders/services.nix
index a05fd63..a404abf 100644
--- a/sw/builders/services.nix
+++ b/sw/builders/services.nix
@@ -51,6 +51,10 @@ mkIf builderCfg.githubRunner.enable {
       ProtectKernelModules = mkForce false;
       ProtectControlGroups = mkForce false;
       
+      # Use LoadCredential to securely pass the token file to the service
+      # This allows the service to read the token even when running as non-root
+      LoadCredential = "token:${builderCfg.githubRunner.tokenFile}";
+      
       # Don't override ExecStartPre - let the default module handle configuration
       # Just make the cleanup more tolerant by wrapping the original script
       ExecStartPre = mkForce (
@@ -81,7 +85,14 @@ mkIf builderCfg.githubRunner.enable {
             set -e
             
             runnerDir="${builderCfg.githubRunner.workDir}/${builderCfg.githubRunner.name}"
-            token=$(cat "${builderCfg.githubRunner.tokenFile}")
+            
+            # Read token from systemd credential (passed via LoadCredential)
+            if [ -n "''${CREDENTIALS_DIRECTORY:-}" ] && [ -f "''${CREDENTIALS_DIRECTORY}/token" ]; then
+              token=$(cat "''${CREDENTIALS_DIRECTORY}/token")
+            else
+              echo "Error: Token credential not available"
+              exit 1
+            fi
             
             cd "$runnerDir"