diff --git a/.env.example b/.env.example index 701d8bb..247255d 100644 --- a/.env.example +++ b/.env.example @@ -148,7 +148,7 @@ ZEROTIER_API_URL= # ═════════════════════════════════════════════════════════════════════════════ # GitHub Actions self-hosted runners (deploy/ansible/install-runner.yml) # Per-project registration tokens. Short-lived (~1h) — mint fresh from each repo's -# Settings > Actions > Runners > New self-hosted runner right before running the playbook. -# ═════════════════════════════════════════════════════════════════════════════ -# RUNNER_TOKEN_GATEHOUSE_API= -# RUNNER_TOKEN_GATEHOUSE_UI= +# Settings > Actions > Runners > New self-hosted runner. The Ansible playbook reads +# these as EXPORTED ENV VARS on the control node, not from this file: +# export RUNNER_TOKEN_GATEHOUSE_API=xxx +# export RUNNER_TOKEN_GATEHOUSE_UI=yyy diff --git a/deploy/ansible/README.md b/deploy/ansible/README.md index a5509da..3ba9cbb 100644 --- a/deploy/ansible/README.md +++ b/deploy/ansible/README.md @@ -25,13 +25,8 @@ install-runner.yml the playbook ## Tokens -Registration tokens are **per-repo and expire ~1h after minting**. Set one key per -project in the repo `.env` (control node), referenced by `token_env` in `host_vars`: - -``` -RUNNER_TOKEN_GATEHOUSE_API=AXXX... -RUNNER_TOKEN_GATEHOUSE_UI=AYYY... -``` +Registration tokens are **per-repo and expire ~1h after minting**. Exported as env +vars on the control node, named by each project's `token_env` in `host_vars`. Mint each from the repo's **Settings > Actions > Runners > New self-hosted runner** (the value after `--token`), then run the playbook within the hour. @@ -42,7 +37,9 @@ Mint each from the repo's **Settings > Actions > Runners > New self-hosted runne cd deploy/ansible # 1. Edit inventory.ini (set ansible_host / ansible_user) and host_vars/*.yml. -# 2. Refresh RUNNER_TOKEN_* in ../../.env. +# 2. Export fresh tokens (leading space keeps them out of shell history): + export RUNNER_TOKEN_GATEHOUSE_API=xxx + export RUNNER_TOKEN_GATEHOUSE_UI=yyy ansible-playbook --syntax-check install-runner.yml ansible-playbook install-runner.yml --check --diff --limit stage # dry run diff --git a/deploy/ansible/group_vars/all.yml b/deploy/ansible/group_vars/all.yml index 146b1f6..6a1682c 100644 --- a/deploy/ansible/group_vars/all.yml +++ b/deploy/ansible/group_vars/all.yml @@ -10,5 +10,5 @@ runner_sha256: "4ef2f25285f0ae4477f1fe1e346db76d2f3ebf03824e2ddd1973a2819bf6c8cf runner_tarball: "actions-runner-linux-x64-{{ runner_version }}.tar.gz" runner_download_url: "https://github.com/actions/runner/releases/download/v{{ runner_version }}/{{ runner_tarball }}" -# Repo .env on the control node holding per-project RUNNER_TOKEN_ keys. -env_file: "{{ playbook_dir }}/../../.env" +# Registration tokens come from env vars named by each project's `token_env` +# (e.g. RUNNER_TOKEN_GATEHOUSE_API). Export them on the control node before running. diff --git a/deploy/ansible/tasks/install_project.yml b/deploy/ansible/tasks/install_project.yml index e2b7a00..a588c78 100644 --- a/deploy/ansible/tasks/install_project.yml +++ b/deploy/ansible/tasks/install_project.yml @@ -1,18 +1,16 @@ --- # Expands one project entry into `count` runner instances. -- name: "Read registration token for {{ project_spec.project }} from .env" +- name: "Read registration token for {{ project_spec.project }} from env var" ansible.builtin.set_fact: - project_token: >- - {{ lookup('ansible.builtin.ini', project_spec.token_env, - file=env_file, type='properties') }} + project_token: "{{ lookup('ansible.builtin.env', project_spec.token_env) }}" - name: "Fail if token missing for {{ project_spec.project }}" ansible.builtin.assert: that: - project_token | length > 0 fail_msg: >- - {{ project_spec.token_env }} not found in {{ env_file }}. - Mint a fresh registration token (Settings > Actions > Runners) and set it. + Env var {{ project_spec.token_env }} is empty/unset. + Export a fresh registration token (Settings > Actions > Runners) before running. - name: "Install {{ project_spec.count }} runner(s) for {{ project_spec.project }}" ansible.builtin.include_tasks: install_one_runner.yml