[gha-runner-scale-set] Missing annotations on no permission service account

[dotdc]

Checks

• [X] I've already read https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors and I'm sure my issue is not covered in the troubleshooting guide.
• [X] I am using charts that are officially provided

Controller Version

0.9.1

Deployment Method

Helm

Checks

• [X] This isn't a question or user support case (For Q&A and community support, go to Discussions).
• [X] I've read the Changelog before submitting this issue and I'm sure it's not due to any recently-introduced backward-incompatible changes

To Reproduce

1. Check the in the gha-runner-scale-set chart, there's no way to set custom annotations in `values.yaml` for the `no_permission_serviceaccount.yaml` template.

Describe the bug

We would like to have the ability to set custom annotations on the no_permission_serviceaccount for our gha runner scale sets. This can be needed in some Google Workload Identity setups:

iam.gke.io/gcp-service-account=IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com

Source: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#kubernetes-sa-to-iam

Describe the expected behavior

N/A

Additional Context

N/A

Controller Logs

N/A

Runner Pod Logs

N/A

[github-actions[bot]]

Hello! Thank you for filing an issue.

The maintainers will triage your issue shortly.

In the meantime, please take a look at the troubleshooting guide for bug reports.

If this is a feature request, please review our contribution guidelines.

[noamgreen]

3672 HI , same issue

[dotdc]

@noamgreen

As a workaround, I created another service account with the desired annotations in the same namespace and configured the template in gha-runner-scale-set to use it instead.

# Doc: https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml
template:
  spec:
    serviceAccount: custom-k8s-sa-name
    serviceAccountName: custom-k8s-sa-name

[noamgreen]

YES i just test your commit and same issues i cant get any access "kubernetes" mode ammm no sure you can do that in same pod ... i dont understand the change GitHub did ?? what thy think i run the job local and do what ??

this is the resources i have after i use the commit you add (no change ) after i add the serivceAccountName

its disturbing the Rolebinding and you will get a lovely so if you look when pod get up he get some "SA" generated from the AutoscalingRunnerSet ''' Error: Error: The Service account needs the following permissions [{"group":"","verbs":["get","list","create","delete"],"resource":"pods","subresource":""},{"group":"","verbs":["get","create"],"resource":"pods","subresource":"exec"},{"group":"","verbs":["get","list","watch"],"resource":"pods","subresource":"log"},{"group":"batch","verbs":["get","list","create","delete"],"resource":"jobs","subresource":""},{"group":"","verbs":["create","delete","get","list"],"resource":"secrets","subresource":""}] on the pod resource in the 'gha-runner' namespace. Please contact your self hosted runner administrator. ''' so i think you need to add the ServiceName in what you did and i am now try to find what to add the one more service account