runners can access admin-scoped PAT

[scottlamb]

First, thanks for writing this!

I'm doing a quick audit. I see that:

• the readme describes making a "Github Personal Access Token with workflow and admin:org scopes".
• the runner VMs are allowed to read that token.
• AFAICT, they only use that token to create a short-lived/less-privileged registration token.

Could the registration tokens be created from the webhook instead and passed in to the VMs on launch? and that IAM policy be put only on the webhook, not the VM? Then if hostile code sneaks into the build, it can't get persistent admin access (this way, at least).