diff --git a/README.md b/README.md index d5bb785..c3708b0 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,9 @@ runner_org: false # Labels to apply to the runner runner_labels: [] +# Disable default labels (self-hosted, Linux, X64) and require custom labels. Set `runner_no_default_labels: true` and provide at least one label in `runner_labels` to use this feature. +runner_no_default_labels: false + # Group to add organization runner to runner_group: "" @@ -262,34 +265,9 @@ In this example the Ansible role will uninstall the runner service and unregiste 1. Install Python, Docker, and Ansible if you haven't already. 2. Install Molecule and its Docker driver with pip: -```bash -pip install "molecule-plugins[docker]" -``` -Sure, here's a basic example of how you might structure a README to explain how to test the `monolithprojects.github_actions_runner` Ansible role with Molecule: - -```markdown -# monolithprojects.github_actions_runner - -This is an Ansible role for setting up GitHub Actions runners. - -## Testing with Molecule - -[Molecule](https://molecule.readthedocs.io/) is a testing framework for Ansible that we use to test the `monolithprojects.github_actions_runner` role. - -### Prerequisites - -- Python -- Docker -- Ansible -- Molecule - -### Installation - -1. Install Python, Docker, and Ansible if you haven't already. -2. Install Molecule and its Docker driver with pip: - ```bash pip install molecule[docker] +pip install "molecule-plugins[docker]" ``` ### Running Tests diff --git a/defaults/main.yml b/defaults/main.yml index 78d532e..3c98014 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,6 +45,9 @@ runner_download_repository: "actions/runner" # Several arguments must be set as one string (i.e. "--ephemeral --my_special_fork") runner_extra_config_args: "" +# Disable default labels (self-hosted, Linux, X64) and require custom labels. Set `runner_no_default_labels: true` and provide at least one label in `runner_labels` to use this feature. +runner_no_default_labels: false + # Name to assign to this runner in GitHub (System hostname as default) runner_name: "{{ ansible_facts.hostname }}" diff --git a/molecule/no_default_labels/converge.yml b/molecule/no_default_labels/converge.yml new file mode 100644 index 0000000..6b32de6 --- /dev/null +++ b/molecule/no_default_labels/converge.yml @@ -0,0 +1,17 @@ +--- +- name: Test no_default_labels scenario + hosts: all + become: yes + vars: + runner_user: ansible + github_repo: "{{ lookup('env', 'GITHUB_REPO') }}" + github_account: "{{ lookup('env', 'GITHUB_ACCOUNT') }}" + runner_version: "latest" + runner_name: test_name + runner_no_default_labels: true + runner_labels: + - testlabel1 + - testlabel2 + roles: + - role: monolithprojects.github_actions_runner + diff --git a/molecule/no_default_labels/molecule.yml b/molecule/no_default_labels/molecule.yml new file mode 100644 index 0000000..8d3aa46 --- /dev/null +++ b/molecule/no_default_labels/molecule.yml @@ -0,0 +1,39 @@ +--- +provisioner: + name: ansible + config_options: + defaults: + verbosity: 0 + playbooks: + converge: converge.yml + cleanup: ../default/cleanup.yml + verify: verify.yml +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: "${MOLECULE_IMAGE:-ubuntu22}-latest" + image: "${namespace:-monolithprojects}/systemd-${MOLECULE_IMAGE:-ubuntu22}:latest" + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:${MOLECULE_DOCKER_VOLUMES:-rw}" # Use "ro" for cgroup v1 and "rw" for cgroup v2 + cgroupns_mode: ${MOLECULE_DOCKER_CGROUPS_MODE:-"host"} # Use "private" for cgroup v1 and "host" for cgroup v2 + command: ${MOLECULE_DOCKER_COMMAND:-""} + privileged: true + pre_build_image: true +verifier: + name: ansible +scenario: + name: no_default_labels + test_sequence: + - dependency + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy diff --git a/molecule/no_default_labels/requirements.yml b/molecule/no_default_labels/requirements.yml new file mode 100644 index 0000000..ee41ee4 --- /dev/null +++ b/molecule/no_default_labels/requirements.yml @@ -0,0 +1,5 @@ +--- + +roles: +- name: robertdebock.epel + version: 3.0.1 diff --git a/molecule/no_default_labels/verify.yml b/molecule/no_default_labels/verify.yml new file mode 100644 index 0000000..a079a88 --- /dev/null +++ b/molecule/no_default_labels/verify.yml @@ -0,0 +1,44 @@ +--- +- name: Validate Repo runners + user: ansible + hosts: all + gather_facts: yes + become: yes + vars: + runner_user: ansible + github_repo: "{{ lookup('env', 'GITHUB_REPO') }}" + github_account: "{{ lookup('env', 'GITHUB_ACCOUNT') }}" + github_api_url: "https://api.github.com" + access_token: "{{ lookup('env', 'PERSONAL_ACCESS_TOKEN') }}" + runner_name: "{{ ansible_facts.hostname }}" + + tasks: + - name: Check currently registered runners + ansible.builtin.uri: + url: "{{ github_api_url }}/repos/{{ github_owner | default(github_account) }}/{{ github_repo }}/actions/runners" + headers: + Authorization: "token {{ access_token }}" + Accept: "application/vnd.github.v3+json" + method: GET + status_code: 200 + force_basic_auth: yes + register: registered_runners + + - name: Check Runner + ansible.builtin.assert: + that: + - registered_runners.json.runners.0.status == "online" + quiet: true + + - debug: + var: registered_runners.json.runners.0 + + - name: Set fact - current labels + ansible.builtin.set_fact: + current_labels: "{{ registered_runners.json.runners.0 | json_query('labels[*].name') | list }}" + + - name: Check Labels (skipped if labels are OK) + ansible.builtin.assert: + that: + - current_labels == ['testlabel1', 'testlabel2'] + fail_msg: "Expected only the custom labels 'testlabel1' and 'testlabel2', but got {{ current_labels }}" \ No newline at end of file diff --git a/tasks/assert.yml b/tasks/assert.yml index 6abf982..888528a 100644 --- a/tasks/assert.yml +++ b/tasks/assert.yml @@ -39,3 +39,10 @@ fail_msg: "runner_user_win_password was not defined, but it is required on a windows system" run_once: true when: github_actions_system == "win" + +- name: Check runner_labels is not empty if runner_no_default_labels is true (RUN ONCE) + ansible.builtin.assert: + that: + - not (runner_no_default_labels | bool) or (runner_labels is defined and runner_labels | length > 0) + fail_msg: "runner_labels must be set and not empty when runner_no_default_labels is true." + run_once: true \ No newline at end of file diff --git a/tasks/install_runner_unix.yml b/tasks/install_runner_unix.yml index 8497017..6b08c5a 100644 --- a/tasks/install_runner_unix.yml +++ b/tasks/install_runner_unix.yml @@ -82,6 +82,7 @@ --labels {{ runner_labels | join(',') }} \ --runnergroup {{ runner_group }} \ --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ {{ runner_extra_config_args }}" args: chdir: "{{ runner_dir }}" @@ -120,6 +121,7 @@ --name '{{ runner_name }}' \ --labels {{ runner_labels | join(',') }} \ --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ {{ runner_extra_config_args }} \ --replace" args: diff --git a/tasks/install_runner_win.yml b/tasks/install_runner_win.yml index 2da19fe..c8e0f1a 100644 --- a/tasks/install_runner_win.yml +++ b/tasks/install_runner_win.yml @@ -78,8 +78,9 @@ --runasservice \ --windowslogonaccount {{ runner_user }} \ --windowslogonpassword {{ runner_user_win_password }} \ - --unattended \ - {{ runner_extra_config_args }}" + --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ + {{ runner_extra_config_args }}" args: chdir: "{{ runner_dir }}" changed_when: true @@ -101,9 +102,10 @@ --runasservice \ --windowslogonaccount {{ runner_user }} \ --windowslogonpassword {{ runner_user_win_password }} \ - --unattended \ - {{ runner_extra_config_args }} \ - --replace" + --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ + {{ runner_extra_config_args }} \ + --replace" args: chdir: "{{ runner_dir }}" changed_when: true