Add token expiry parameter to Create Runner API endpoint

Summary

The Create Runner API endpoint (POST /user/runners) currently does not support setting a custom expiration time for the generated runner authentication token. This creates a security gap for organizations that need to enforce hard token expiration policies.

Problem to Solve

Organizations with strict security controls need the ability to set hard expiration dates on runner authentication tokens when creating runners programmatically. The current API only supports instance-wide automatic rotation policies, but doesn't allow per-token expiration control during creation.

Current Limitation:

• The API generates tokens without expiration control
• Instance-wide rotation policies don't meet granular security requirements
• No way to enforce different expiration policies for different teams/use cases

Proposal

Add an optional expires_at parameter to the POST /user/runners API endpoint.

Use Case

Enterprise Security Compliance:

• Company policy requires runner tokens to expire after x week maximum
• Different teams may need different expiration policies
• Hard expiration prevents token reuse beyond approved timeframes

Related to: #345427 (closed)