Multi-tenancy runner registers, never gets jobs

[jspc]

So a weird case I don't understand, and that I can't get a handle on from the docs. I have installed v0.26.0 from fresh (to try and mitigate any weirdness), and tried to get two runners working.

The first is a completely vanilla interpretation install, following the Organisation Runners section of the docs to a T, using the default secret name from the Github App Authentication section of the docs and.... it works magically. The runner registers and picks up jobs.

The second, though, follows the Multitenancy section of the doc, including setting the various secretRef fields- but while the runner registers against the correct org, with the expected name, and is in the idle state, that's about it. No jobs are picked up.

Github apps are identical (I created them both from the link here), so I can't see how one might work and the other not.

Logs on the controller don't give me any hint (either there's nothing of use, or I'm not smart enough to understand- I'm very happy to admit to the latter), beyond:

2022-09-24T18:24:00Z    DEBUG   controller-runtime.webhook.webhooks     received request        {"webhook": "/mutate-runner-set-pod", "UID": "70994bc1-5136-4612-8566-9b15cf8d06c8", "kind": "/v1, Kind=Pod", "resource": {"group":"","version":"v1","resource":"pods"}}
2022-09-24T18:24:00Z    DEBUG   controller-runtime.webhook.webhooks     wrote response  {"webhook": "/mutate-runner-set-pod", "code": 200, "reason": "", "UID": "70994bc1-5136-4612-8566-9b15cf8d06c8", "allowed": true}
2022-09-24T18:24:00Z    DEBUG   controller-runtime.webhook.webhooks     received request        {"webhook": "/mutate-runner-set-pod", "UID": "8b4111a0-7e24-48e4-a13a-9661280ffacd", "kind": "/v1, Kind=Pod", "resource": {"group":"","version":"v1","resource":"pods"}}
2022-09-24T18:24:00Z    DEBUG   controller-runtime.webhook.webhooks     wrote response  {"webhook": "/mutate-runner-set-pod", "code": 200, "reason": "", "UID": "8b4111a0-7e24-48e4-a13a-9661280ffacd", "allowed": true}
2022/09/24 18:24:00 http: TLS handshake error from 192.168.0.8:15105: EOF

I'm not really sure how to diagnose that webhook error (which I assume is the smoking gun); has anybody else come across this before?

[jspc]

Nahhhh ignore me, I'm being an idiot. I was trying to use the runner from a public repo. I'm happy to absorb the risk, since my runner has bugger all on it, so I enabled the runner for public repos and there I was.