Skip to content

chore(deps): update hashicorp/vault:latest docker digest to e2da709 #2766

chore(deps): update hashicorp/vault:latest docker digest to e2da709

chore(deps): update hashicorp/vault:latest docker digest to e2da709 #2766

Workflow file for this run

---
name: Ansible CI/CD
on:
pull_request:
types:
- opened
- synchronize
- reopened
- closed
branches:
- main
paths:
- "ansible/host_vars/**"
workflow_dispatch:
inputs:
host:
description: "Host to run Ansible against"
required: true
type: choice
options:
- "authentik"
- "cicd"
- "healthchecks"
- "monitoring"
- "vault"
dry_run:
description: "Dry run"
required: true
type: boolean
default: true
workflow_call:
inputs:
host:
description: "Host to run Ansible against"
required: true
type: string
dry_run:
description: "Dry run"
required: true
type: boolean
default: true
env:
TAILSCALE_VERSION: 1.44.0
PYTHON_VERSION: 3.11
jobs:
setup:
runs-on: ubuntu-latest
outputs:
host: ${{ steps.set-host.outputs.host }}
dry_run: ${{ steps.set-dry-run.outputs.dry_run }}
steps:
- name: Checkout (pull_request)
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
if: github.event_name == 'pull_request'
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Checkout (workflow_dispatch || push)
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
if: github.event_name != 'pull_request'
- name: Fetch main branch
run: git fetch origin main
- name: Set host
id: set-host
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "host=${{ github.event.inputs.host }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" == "pull_request" ]; then
# Get list of subdirectories in ansible/host_vars that have changed vs PR base SHA
CHANGED_HOSTS=$(git diff --name-only ${{ github.event.pull_request.base.sha }} | grep -oP 'ansible/host_vars/\K[^/]+')
# Set host to list of changed hosts, using , as a delimiter
echo "host=$(echo $CHANGED_HOSTS | tr ' ' ',')" >> $GITHUB_OUTPUT
else
echo "Unknown event name: ${{ github.event_name }}"
exit 1
fi
- name: Set dry run (workflow_dispatch)
id: set-dry-run
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "dry_run=${{ github.event.inputs.dry_run }}" >> $GITHUB_OUTPUT
elif [ "${{ github.event_name }}" == "pull_request" ]; then
if [ "${{ github.event.pull_request.merged }}" == "true" ]; then
echo "dry_run=false" >> $GITHUB_OUTPUT
else
echo "dry_run=true" >> $GITHUB_OUTPUT
fi
else
echo "Unknown event name: ${{ github.event_name }}"
exit 1
fi
- name: Summary
run: |
echo "# Inputs Summary" >> $GITHUB_STEP_SUMMARY
echo "| Input | Value |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| host | ${{ steps.set-host.outputs.host }} |" >> $GITHUB_STEP_SUMMARY
echo "| dry_run | ${{ steps.set-dry-run.outputs.dry_run }} |" >> $GITHUB_STEP_SUMMARY
ansible:
runs-on: ubuntu-latest
needs: setup
env:
ANSIBLE_ROLES_PATH: ${{ github.workspace }}/ansible/roles
ANSIBLE_COLLECTIONS_PATH: ${{ github.workspace }}/ansible/collections
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
# Configure 1Password Service Account
- name: Configure 1Password Service Account
uses: 1Password/load-secrets-action/configure@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
with:
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
# Fetch TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET
# from 1Password using load-secrets-action
- name: Fetch Tailscale Secrets
uses: 1Password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
id: fetch-tailscale-secrets
with:
export-env: false
env:
OAUTH_CLIENT_ID: op://Infrastructure/tailscale/github_actions/oauth_client_id
OAUTH_CLIENT_SECRET: op://Infrastructure/tailscale/github_actions/oauth_client_secret
- name: Setup Tailscale
uses: tailscale/github-action@4e4c49acaa9818630ce0bd7a564372c17e33fb4d # v2
with:
version: ${{ env.TAILSCALE_VERSION }}
oauth-client-id: ${{ steps.fetch-tailscale-secrets.outputs.OAUTH_CLIENT_ID }}
oauth-secret: ${{ steps.fetch-tailscale-secrets.outputs.OAUTH_CLIENT_SECRET }}
tags: tag:cicd
- name: Disallow DNS configuration from Tailscale admin panel
run: sudo tailscale set --accept-dns=false
- name: Setup Taskfile
uses: arduino/setup-task@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: pip
- name: Cache Ansible Roles
uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
with:
path: ${{ env.ANSIBLE_ROLES_PATH }}
key: ${{ runner.os }}-ansible-roles-${{ hashFiles('ansible/requirements.yml') }}
- name: Cache Ansible Collections
uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4
with:
path: ${{ env.ANSIBLE_COLLECTIONS_PATH }}
key: ${{ runner.os }}-ansible-collections-${{ hashFiles('ansible/requirements.yml') }}
- name: Setup CICD
run: task setup-cicd
# Fetch ANSIBLE_VAULT_PASSWORD from 1Password using load-secrets-action
- name: Fetch Ansible Vault Password
uses: 1Password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
id: fetch-ansible-vault-password
with:
export-env: false
env:
ANSIBLE_VAULT_PASSWORD: op://Infrastructure/ansible/vault/password
# Loop through hosts
- name: Run Ansible
env:
ANSIBLE_VAULT_PASSWORD: ${{ steps.fetch-ansible-vault-password.outputs.ANSIBLE_VAULT_PASSWORD }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "# Ansible CICD Summary" >> $GITHUB_STEP_SUMMARY
echo "Job: [${{ github.job }}]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY
echo "| Host | Status |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
FINAL_STATUS=0
# Create list of hosts to run Ansible for, splitting on ,
HOSTS=$(echo ${{ needs.setup.outputs.host }} | tr ',' ' ')
for host in $HOSTS; do
STATUS_EMOJI=""
if ! ansible --list-hosts all | grep -q $host; then
echo "$host is not an available host, skipping"
continue
fi
echo ::group::Pinging $host
HOST=$host task ansible-ping
STATUS_PING=$?
echo ::endgroup::
if [ $STATUS_PING -ne 0 ]; then
STATUS_EMOJI=":warning:"
echo "$host is unreachable, skipping"
else
echo ::group::Running Ansible for $host
HOST=$host DRY_RUN=${{ needs.setup.outputs.dry_run }} task ansible
STATUS=$?
echo ::endgroup::
if [ $STATUS -ne 0 ]; then
FINAL_STATUS=$STATUS
fi
if [ $STATUS -eq 0 ]; then
STATUS_EMOJI=":white_check_mark:"
else
STATUS_EMOJI=":x:"
fi
fi
echo "| $host | $STATUS_EMOJI |" >> $GITHUB_STEP_SUMMARY
done
if [ "${{ github.event_name }}" == "pull_request" ]; then
gh pr comment ${{ github.event.pull_request.number }} --body "$(cat $GITHUB_STEP_SUMMARY)"
fi
exit $FINAL_STATUS
- name: Tailscale Logout
if: always()
run: sudo tailscale logout