Update comment on GH PAT for runners (#2926)

[static]

Signed-off-by: canton-network-da <team-canton-network@digitalasset.com>

Author: canton-network-da

cluster/pulumi/gha/src/runners.ts

@@ -769,8 +769,9 @@ export function installRunnerScaleSets(controller: k8s.helm.v3.Release): void {
         namespace: runnersNamespace.metadata.name,
       },
       stringData: {
-        // This is the 'Actions Runner' token for canton-network-da GH user.
-        // Note that the user needs admin rights on the repo for this to work, since the controller and
+        // This is the 'Self-hosted runner token' token for canton-network-da GH user.
+        // Note that the user needs "read/write rights access to administration" and "read access to metadata"
+        // (fine-grained) permissions for this to work, since the controller and
         // listeners use the actions/runners/registration-token endpoint to create a temporary token
         // for registration, and this endpoint seems to require admin rights.
         // TODO(DACH-NY/canton-network-node#17842): The recommended thing to do is use a GitHub App. See here for a guide