Merge remote-tracking branch 'refs/remotes/origin/ci/deploy' into ci/deploy

.env.example

@@ -148,7 +148,7 @@ ZEROTIER_API_URL=
 # ═════════════════════════════════════════════════════════════════════════════
 # GitHub Actions self-hosted runners (deploy/ansible/install-runner.yml)
 # Per-project registration tokens. Short-lived (~1h) — mint fresh from each repo's
-# Settings > Actions > Runners > New self-hosted runner right before running the playbook.
+# Settings > Actions > Runners > New self-hosted runner. The Ansible playbook reads
-# ═════════════════════════════════════════════════════════════════════════════
+# these as EXPORTED ENV VARS on the control node, not from this file:
-# RUNNER_TOKEN_GATEHOUSE_API=
+#   export RUNNER_TOKEN_GATEHOUSE_API=xxx
-# RUNNER_TOKEN_GATEHOUSE_UI=
+#   export RUNNER_TOKEN_GATEHOUSE_UI=yyy

deploy/ansible/README.md

@@ -25,13 +25,8 @@ install-runner.yml          the playbook
 
 ## Tokens
 
-Registration tokens are **per-repo and expire ~1h after minting**. Set one key per
+Registration tokens are **per-repo and expire ~1h after minting**. Exported as env
-project in the repo `.env` (control node), referenced by `token_env` in `host_vars`:
+vars on the control node, named by each project's `token_env` in `host_vars`.
-
-```
-RUNNER_TOKEN_GATEHOUSE_API=AXXX...
-RUNNER_TOKEN_GATEHOUSE_UI=AYYY...
-```
 
 Mint each from the repo's **Settings > Actions > Runners > New self-hosted runner**
 (the value after `--token`), then run the playbook within the hour.
@@ -42,7 +37,9 @@ Mint each from the repo's **Settings > Actions > Runners > New self-hosted runne
 cd deploy/ansible
 
 # 1. Edit inventory.ini (set ansible_host / ansible_user) and host_vars/*.yml.
-# 2. Refresh RUNNER_TOKEN_* in ../../.env.
+# 2. Export fresh tokens (leading space keeps them out of shell history):
+ export RUNNER_TOKEN_GATEHOUSE_API=xxx
+ export RUNNER_TOKEN_GATEHOUSE_UI=yyy
 
 ansible-playbook --syntax-check install-runner.yml
 ansible-playbook install-runner.yml --check --diff --limit stage   # dry run

deploy/ansible/group_vars/all.yml

@@ -10,5 +10,5 @@ runner_sha256: "4ef2f25285f0ae4477f1fe1e346db76d2f3ebf03824e2ddd1973a2819bf6c8cf
 runner_tarball: "actions-runner-linux-x64-{{ runner_version }}.tar.gz"
 runner_download_url: "https://github.com/actions/runner/releases/download/v{{ runner_version }}/{{ runner_tarball }}"
 
-# Repo .env on the control node holding per-project RUNNER_TOKEN_<PROJECT> keys.
+# Registration tokens come from env vars named by each project's `token_env`
-env_file: "{{ playbook_dir }}/../../.env"
+# (e.g. RUNNER_TOKEN_GATEHOUSE_API). Export them on the control node before running.

deploy/ansible/tasks/install_project.yml

@@ -1,18 +1,16 @@
 ---
 # Expands one project entry into `count` runner instances.
-- name: "Read registration token for {{ project_spec.project }} from .env"
+- name: "Read registration token for {{ project_spec.project }} from env var"
   ansible.builtin.set_fact:
-    project_token: >-
+    project_token: "{{ lookup('ansible.builtin.env', project_spec.token_env) }}"
-      {{ lookup('ansible.builtin.ini', project_spec.token_env,
-                file=env_file, type='properties') }}
 
 - name: "Fail if token missing for {{ project_spec.project }}"
   ansible.builtin.assert:
     that:
       - project_token | length > 0
     fail_msg: >-
-      {{ project_spec.token_env }} not found in {{ env_file }}.
+      Env var {{ project_spec.token_env }} is empty/unset.
-      Mint a fresh registration token (Settings > Actions > Runners) and set it.
+      Export a fresh registration token (Settings > Actions > Runners) before running.
 
 - name: "Install {{ project_spec.count }} runner(s) for {{ project_spec.project }}"
   ansible.builtin.include_tasks: install_one_runner.yml