Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025 · Jun 13, 2025
@@ -85,6 +85,46 @@ ARC can use {% data variables.product.pat_v1_plural %} to register self-hosted r
 
 {% data reusables.actions.actions-runner-controller-helm-chart-options %}
 
+## Authenticating ARC with a {% data variables.product.pat_v2 %}
+
+ARC can use {% data variables.product.pat_v2_plural %} to register self-hosted runners.
+
+{% ifversion ghec or ghes %}
+
+> [!NOTE]
+> Authenticating ARC with a {% data variables.product.pat_v1 %} is the only supported authentication method to register runners at the enterprise level.
+
+{% endif %}
+
+1. Create a {% data variables.product.pat_v2 %} with the required scopes. The required scopes are different depending on whether you are registering runners at the repository or organization level. For more information on how to create a {% data variables.product.pat_v2 %}, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token).
+
+The following is the list of required {% data variables.product.pat_generic %} scopes for ARC runners.
+
+* Repository runners:
+* **Administration:** Read and write
+
+* Organization runners:
+* **Administration:** Read
+* **Self-hosted runners:** Read and write
+
+1. To create a Kubernetes secret with the value of your {% data variables.product.pat_v2 %}, use the following command.
+
+{% data reusables.actions.arc-runners-namespace %}
+
+```bash copy
+kubectl create secret generic pre-defined-secret \
+--namespace=arc-runners \
+--from-literal=_token='YOUR-PAT'
+```
+
+1. In your copy of the [`values.yaml`](https://.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) file, pass the secret name as a reference.
+
+```yaml
+ConfigSecret: pre-defined-secret
+```
+
+{% data reusables.actions.actions-runner-controller-helm-chart-options %}
+
 ## Authenticating ARC with vault secrets
 
 > [!NOTE]

@@ -31,6 +31,5 @@ With private mode enabled, you can allow unauthenticated Git operations (and any
 
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
-{% data reusables.enterprise_management_console.privacy %}
 1. Select **Private mode**.
 {% data reusables.enterprise_management_console.save-settings %}
@@ -77,6 +77,8 @@ When specifying actions{% ifversion actions-workflow-policy %} and reusable work
 * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in organizations that start with `space-org`, use `space-org*/*`.
 * To allow all actions{% ifversion actions-workflow-policy %} and reusable workflows{% endif %} in repositories that start with octocat, use `*/octocat**@*`.
 
+Policies never restrict access to local actions on the runner filesystem (where the `uses:` path start with `./`).
+
 ## Runners
 
 By default, anyone with admin access to a repository can add a self-hosted runner for the repository, and self-hosted runners come with risks:

@@ -726,6 +726,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -737,6 +738,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -748,6 +750,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -783,6 +786,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -1091,6 +1095,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -1222,6 +1227,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -1245,6 +1251,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -1256,6 +1263,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -1847,6 +1855,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -1906,6 +1915,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -1917,6 +1927,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2511,6 +2522,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -2522,6 +2534,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2533,6 +2546,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2544,6 +2558,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2555,6 +2570,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2566,6 +2582,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2577,6 +2594,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2588,6 +2606,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2599,6 +2618,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -2931,6 +2951,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -3362,6 +3383,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -3373,6 +3395,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: true
@@ -3384,6 +3407,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: false
 isPrivateWithGhas: true
 hasPushProtection: false
@@ -3712,6 +3736,17 @@
 hasPushProtection: true
 hasValidityCheck: false
 isduplicate: false
+- provider: Snowflake
+supportedSecret: Snowflake Programmatic Access Token
+secretType: snowflake_programmatic_access_token
+versions:
+fpt: '*'
+ghec: '*'
+isPublic: false
+isPrivateWithGhas: true
+hasPushProtection: false
+hasValidityCheck: false
+isduplicate: false
 - provider: Sourcegraph
 supportedSecret: Sourcegraph Access Token
 secretType: sourcegraph_access_token
@@ -4174,6 +4209,7 @@
 versions:
 fpt: '*'
 ghec: '*'
+ghes: '>=3.18'
 isPublic: true
 isPrivateWithGhas: true
 hasPushProtection: false

@@ -1,5 +1,5 @@
 {
-"sha": "de330412222eaea5838c723eb6e3e2ebb124d35e",
-"blob-sha": "06bbb1448f72fb3171b30d33d0f59334e3bba539",
+"sha": "cc6e45651c0156064ffa8604dad1dfb6256a4a85",
+"blob-sha": "6c6949487ed87adb16e5e6d9706ef7fb35929cdb",
 "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns"
 }