From fee481e77a08cf444b97f70d4c01cf03dcc77a24 Mon Sep 17 00:00:00 2001 From: Staffan Forsell <8639600+staffanf@users.noreply.github.com> Date: Wed, 1 Oct 2025 20:04:56 +0000 Subject: [PATCH 1/3] Add support for --no-default-labels --- README.md | 3 ++ defaults/main.yml | 3 ++ molecule/no_default_labels/converge.yml | 12 +++++++ molecule/no_default_labels/molecule.yml | 39 +++++++++++++++++++++ molecule/no_default_labels/requirements.yml | 2 ++ molecule/no_default_labels/verify.yml | 13 +++++++ tasks/assert.yml | 7 ++++ tasks/install_runner_unix.yml | 2 ++ tasks/install_runner_win.yml | 12 ++++--- 9 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 molecule/no_default_labels/converge.yml create mode 100644 molecule/no_default_labels/molecule.yml create mode 100644 molecule/no_default_labels/requirements.yml create mode 100644 molecule/no_default_labels/verify.yml diff --git a/README.md b/README.md index d5bb785..68799ce 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,9 @@ runner_org: false # Labels to apply to the runner runner_labels: [] +# Disable default labels (self-hosted, Linux, X64) and require custom labels. Set `runner_no_default_labels: true` and provide at least one label in `runner_labels` to use this feature. +runner_no_default_labels: false + # Group to add organization runner to runner_group: "" diff --git a/defaults/main.yml b/defaults/main.yml index 78d532e..3c98014 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,6 +45,9 @@ runner_download_repository: "actions/runner" # Several arguments must be set as one string (i.e. "--ephemeral --my_special_fork") runner_extra_config_args: "" +# Disable default labels (self-hosted, Linux, X64) and require custom labels. Set `runner_no_default_labels: true` and provide at least one label in `runner_labels` to use this feature. +runner_no_default_labels: false + # Name to assign to this runner in GitHub (System hostname as default) runner_name: "{{ ansible_facts.hostname }}" diff --git a/molecule/no_default_labels/converge.yml b/molecule/no_default_labels/converge.yml new file mode 100644 index 0000000..7d781e5 --- /dev/null +++ b/molecule/no_default_labels/converge.yml @@ -0,0 +1,12 @@ +--- +- name: Test no_default_labels scenario + hosts: all + become: yes + vars: + runner_no_default_labels: true + runner_labels: + - testlabel + github_account: testuser + github_repo: testrepo + roles: + - role: monolithprojects.github_actions_runner diff --git a/molecule/no_default_labels/molecule.yml b/molecule/no_default_labels/molecule.yml new file mode 100644 index 0000000..df5e162 --- /dev/null +++ b/molecule/no_default_labels/molecule.yml @@ -0,0 +1,39 @@ +--- +provisioner: + name: ansible + config_options: + defaults: + verbosity: 0 + playbooks: + converge: converge.yml + cleanup: ../default/cleanup.yml + verify: verify.yml +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: "${MOLECULE_IMAGE:-ubuntu22}-latest" + image: "${namespace:-monolithprojects}/systemd-${MOLECULE_IMAGE:-ubuntu22}:latest" + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:${MOLECULE_DOCKER_VOLUMES:-rw}" # Use "ro" for cgroup v1 and "rw" for cgroup v2 + cgroupns_mode: ${MOLECULE_DOCKER_CGROUPS_MODE:-"host"} # Use "private" for cgroup v1 and "host" for cgroup v2 + command: ${MOLECULE_DOCKER_COMMAND:-""} + privileged: true + pre_build_image: true +verifier: + name: ansible +scenario: + name: default + test_sequence: + - dependency + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - side_effect + - verify + - cleanup + - destroy diff --git a/molecule/no_default_labels/requirements.yml b/molecule/no_default_labels/requirements.yml new file mode 100644 index 0000000..e80ce4a --- /dev/null +++ b/molecule/no_default_labels/requirements.yml @@ -0,0 +1,2 @@ +--- +# No extra requirements for this scenario diff --git a/molecule/no_default_labels/verify.yml b/molecule/no_default_labels/verify.yml new file mode 100644 index 0000000..5cd5927 --- /dev/null +++ b/molecule/no_default_labels/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify runner_no_default_labels + hosts: all + gather_facts: false + tasks: + - name: Assert runner_no_default_labels is true + ansible.builtin.assert: + that: + - hostvars[inventory_hostname]['runner_no_default_labels'] | bool + - name: Assert runner_labels contains testlabel + ansible.builtin.assert: + that: + - 'testlabel' in hostvars[inventory_hostname]['runner_labels'] diff --git a/tasks/assert.yml b/tasks/assert.yml index 6abf982..888528a 100644 --- a/tasks/assert.yml +++ b/tasks/assert.yml @@ -39,3 +39,10 @@ fail_msg: "runner_user_win_password was not defined, but it is required on a windows system" run_once: true when: github_actions_system == "win" + +- name: Check runner_labels is not empty if runner_no_default_labels is true (RUN ONCE) + ansible.builtin.assert: + that: + - not (runner_no_default_labels | bool) or (runner_labels is defined and runner_labels | length > 0) + fail_msg: "runner_labels must be set and not empty when runner_no_default_labels is true." + run_once: true \ No newline at end of file diff --git a/tasks/install_runner_unix.yml b/tasks/install_runner_unix.yml index 8497017..6b08c5a 100644 --- a/tasks/install_runner_unix.yml +++ b/tasks/install_runner_unix.yml @@ -82,6 +82,7 @@ --labels {{ runner_labels | join(',') }} \ --runnergroup {{ runner_group }} \ --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ {{ runner_extra_config_args }}" args: chdir: "{{ runner_dir }}" @@ -120,6 +121,7 @@ --name '{{ runner_name }}' \ --labels {{ runner_labels | join(',') }} \ --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ {{ runner_extra_config_args }} \ --replace" args: diff --git a/tasks/install_runner_win.yml b/tasks/install_runner_win.yml index 2da19fe..c8e0f1a 100644 --- a/tasks/install_runner_win.yml +++ b/tasks/install_runner_win.yml @@ -78,8 +78,9 @@ --runasservice \ --windowslogonaccount {{ runner_user }} \ --windowslogonpassword {{ runner_user_win_password }} \ - --unattended \ - {{ runner_extra_config_args }}" + --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ + {{ runner_extra_config_args }}" args: chdir: "{{ runner_dir }}" changed_when: true @@ -101,9 +102,10 @@ --runasservice \ --windowslogonaccount {{ runner_user }} \ --windowslogonpassword {{ runner_user_win_password }} \ - --unattended \ - {{ runner_extra_config_args }} \ - --replace" + --unattended \ + {{ '--no-default-labels' if runner_no_default_labels | bool else '' }} \ + {{ runner_extra_config_args }} \ + --replace" args: chdir: "{{ runner_dir }}" changed_when: true From 49a63087ff70f96d56329352477a43d209cf32fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Staffan=20Fors=C3=A9ll?= Date: Wed, 1 Oct 2025 23:24:57 +0200 Subject: [PATCH 2/3] Fix readme --- README.md | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/README.md b/README.md index 68799ce..c3708b0 100644 --- a/README.md +++ b/README.md @@ -265,34 +265,9 @@ In this example the Ansible role will uninstall the runner service and unregiste 1. Install Python, Docker, and Ansible if you haven't already. 2. Install Molecule and its Docker driver with pip: -```bash -pip install "molecule-plugins[docker]" -``` -Sure, here's a basic example of how you might structure a README to explain how to test the `monolithprojects.github_actions_runner` Ansible role with Molecule: - -```markdown -# monolithprojects.github_actions_runner - -This is an Ansible role for setting up GitHub Actions runners. - -## Testing with Molecule - -[Molecule](https://molecule.readthedocs.io/) is a testing framework for Ansible that we use to test the `monolithprojects.github_actions_runner` role. - -### Prerequisites - -- Python -- Docker -- Ansible -- Molecule - -### Installation - -1. Install Python, Docker, and Ansible if you haven't already. -2. Install Molecule and its Docker driver with pip: - ```bash pip install molecule[docker] +pip install "molecule-plugins[docker]" ``` ### Running Tests From df05967f725d1a877d2f20c57639a488c747ce6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Staffan=20Fors=C3=A9ll?= Date: Wed, 1 Oct 2025 23:25:19 +0200 Subject: [PATCH 3/3] Fix molecule tests --- molecule/no_default_labels/converge.yml | 11 ++++-- molecule/no_default_labels/molecule.yml | 2 +- molecule/no_default_labels/requirements.yml | 5 ++- molecule/no_default_labels/verify.yml | 43 ++++++++++++++++++--- 4 files changed, 50 insertions(+), 11 deletions(-) diff --git a/molecule/no_default_labels/converge.yml b/molecule/no_default_labels/converge.yml index 7d781e5..6b32de6 100644 --- a/molecule/no_default_labels/converge.yml +++ b/molecule/no_default_labels/converge.yml @@ -3,10 +3,15 @@ hosts: all become: yes vars: + runner_user: ansible + github_repo: "{{ lookup('env', 'GITHUB_REPO') }}" + github_account: "{{ lookup('env', 'GITHUB_ACCOUNT') }}" + runner_version: "latest" + runner_name: test_name runner_no_default_labels: true runner_labels: - - testlabel - github_account: testuser - github_repo: testrepo + - testlabel1 + - testlabel2 roles: - role: monolithprojects.github_actions_runner + diff --git a/molecule/no_default_labels/molecule.yml b/molecule/no_default_labels/molecule.yml index df5e162..8d3aa46 100644 --- a/molecule/no_default_labels/molecule.yml +++ b/molecule/no_default_labels/molecule.yml @@ -24,7 +24,7 @@ platforms: verifier: name: ansible scenario: - name: default + name: no_default_labels test_sequence: - dependency - destroy diff --git a/molecule/no_default_labels/requirements.yml b/molecule/no_default_labels/requirements.yml index e80ce4a..ee41ee4 100644 --- a/molecule/no_default_labels/requirements.yml +++ b/molecule/no_default_labels/requirements.yml @@ -1,2 +1,5 @@ --- -# No extra requirements for this scenario + +roles: +- name: robertdebock.epel + version: 3.0.1 diff --git a/molecule/no_default_labels/verify.yml b/molecule/no_default_labels/verify.yml index 5cd5927..a079a88 100644 --- a/molecule/no_default_labels/verify.yml +++ b/molecule/no_default_labels/verify.yml @@ -1,13 +1,44 @@ --- -- name: Verify runner_no_default_labels +- name: Validate Repo runners + user: ansible hosts: all - gather_facts: false + gather_facts: yes + become: yes + vars: + runner_user: ansible + github_repo: "{{ lookup('env', 'GITHUB_REPO') }}" + github_account: "{{ lookup('env', 'GITHUB_ACCOUNT') }}" + github_api_url: "https://api.github.com" + access_token: "{{ lookup('env', 'PERSONAL_ACCESS_TOKEN') }}" + runner_name: "{{ ansible_facts.hostname }}" + tasks: - - name: Assert runner_no_default_labels is true + - name: Check currently registered runners + ansible.builtin.uri: + url: "{{ github_api_url }}/repos/{{ github_owner | default(github_account) }}/{{ github_repo }}/actions/runners" + headers: + Authorization: "token {{ access_token }}" + Accept: "application/vnd.github.v3+json" + method: GET + status_code: 200 + force_basic_auth: yes + register: registered_runners + + - name: Check Runner ansible.builtin.assert: that: - - hostvars[inventory_hostname]['runner_no_default_labels'] | bool - - name: Assert runner_labels contains testlabel + - registered_runners.json.runners.0.status == "online" + quiet: true + + - debug: + var: registered_runners.json.runners.0 + + - name: Set fact - current labels + ansible.builtin.set_fact: + current_labels: "{{ registered_runners.json.runners.0 | json_query('labels[*].name') | list }}" + + - name: Check Labels (skipped if labels are OK) ansible.builtin.assert: that: - - 'testlabel' in hostvars[inventory_hostname]['runner_labels'] + - current_labels == ['testlabel1', 'testlabel2'] + fail_msg: "Expected only the custom labels 'testlabel1' and 'testlabel2', but got {{ current_labels }}" \ No newline at end of file