feat: Enterprise-level runners

[dmitrykiselev27]

Description

Adds enterprise-level runner registration support. Previously, runners could only be registered at the repository or organization level using GitHub App authentication. This PR introduces a third registration level — enterprise — using PAT-based authentication against the GitHub Enterprise runner management APIs.

Key changes

Terraform

• New runner_registration_level variable ("repo" | "org" | "enterprise") replaces the boolean enable_organization_runners
• New enterprise_slug and enterprise_pat variables for enterprise configuration. Supports comma-separated multiple PATs for rate limit distribution.
• github_app no longer requires key_base64 or id when runner_registration_level = "enterprise" — only webhook_secret is needed. No GitHub App creation required for enterprise runners.

Lambda functions

• Enterprise code paths added for runner registration, listing, busy-state checks, de-registration, and termination — all using raw client.request() since Octokit's typed helpers don't cover enterprise endpoints
• New createEnterprisePATClient() in auth.ts reads PAT from SSM and randomly selects one token from a comma-separated list per invocation
• New resolveRunnerType() helper reads RUNNER_REGISTRATION_LEVEL env var with backward-compatible fallback to the legacy ENABLE_ORGANIZATION_RUNNERS

Test Plan

1. Create PAT with the manage_runners:enterprise scope.
2. Create webhook on Enterprise level. Events: select Workflow jobs only
3. Set required Terraform variables:

runner_registration_level = "enterprise"
enterprise_slug = "<your-enterprise-slug>"   
enterprise_pat = {
  pat = "<your-PAT>"                                  
}

4. Deploy the module
5. Trigger GHA workflow to test

Related Issues

[edersonbrilhante]

What is the rate limit for this type of pat? Maybe allow multiple pat and set some round robin logic. There is an open pr to support multiple apps for this reason.

[dmitrykiselev27]

@edersonbrilhante as usual, 5000 requests/hour. For this reason, in this implementation pat string can be a comma-separated list.

When a function creates EnterprisePATClient it takes a random token from the list.
It's not the most clever logic, I know, but to properly implement round robin logic, I would need to store some state outside of Lambda function (there is no guarantee Lambda will reuse container for the next execution, also there may be multiple concurrent executions). But I'm open to feedback on this topic

[Brend-Smits]

What's the reason for supporting PAT's and not just enterprise github app's?

[dmitrykiselev27]

@Brend-Smits unfortunately, GitHub App on enterprise level does not allow to manage runners.

[Brend-Smits]

@Brend-Smits unfortunately, GitHub App on enterprise level does not allow to manage runners.

Okay thanks! I will try to arrange a test enterprise to be able to test this and get back to you 👍🏼