chore(deps): update docker.io/library/postgres:17.2-alpine docker digest to 17143ad #3061
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Ansible CI/CD | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - closed | |
| branches: | |
| - main | |
| paths: | |
| - "ansible/host_vars/**" | |
| workflow_dispatch: | |
| inputs: | |
| host: | |
| description: "Host to run Ansible against" | |
| required: true | |
| type: choice | |
| options: | |
| - "authentik" | |
| - "cicd" | |
| - "healthchecks" | |
| - "monitoring" | |
| - "vault" | |
| dry_run: | |
| description: "Dry run" | |
| required: true | |
| type: boolean | |
| default: true | |
| workflow_call: | |
| inputs: | |
| host: | |
| description: "Host to run Ansible against" | |
| required: true | |
| type: string | |
| dry_run: | |
| description: "Dry run" | |
| required: true | |
| type: boolean | |
| default: true | |
| env: | |
| TAILSCALE_VERSION: 1.44.0 | |
| PYTHON_VERSION: 3.11 | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| host: ${{ steps.set-host.outputs.host }} | |
| dry_run: ${{ steps.set-dry-run.outputs.dry_run }} | |
| steps: | |
| - name: Checkout (pull_request) | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Checkout (workflow_dispatch || push) | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| if: github.event_name != 'pull_request' | |
| - name: Fetch main branch | |
| run: git fetch origin main | |
| - name: Set host | |
| id: set-host | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| echo "host=${{ github.event.inputs.host }}" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.event_name }}" == "pull_request" ]; then | |
| # Get list of subdirectories in ansible/host_vars that have changed vs PR base SHA | |
| CHANGED_HOSTS=$(git diff --name-only ${{ github.event.pull_request.base.sha }} | grep -oP 'ansible/host_vars/\K[^/]+') | |
| # Set host to list of changed hosts, using , as a delimiter | |
| echo "host=$(echo $CHANGED_HOSTS | tr ' ' ',')" >> $GITHUB_OUTPUT | |
| else | |
| echo "Unknown event name: ${{ github.event_name }}" | |
| exit 1 | |
| fi | |
| - name: Set dry run (workflow_dispatch) | |
| id: set-dry-run | |
| run: | | |
| if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| echo "dry_run=${{ github.event.inputs.dry_run }}" >> $GITHUB_OUTPUT | |
| elif [ "${{ github.event_name }}" == "pull_request" ]; then | |
| if [ "${{ github.event.pull_request.merged }}" == "true" ]; then | |
| echo "dry_run=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "dry_run=true" >> $GITHUB_OUTPUT | |
| fi | |
| else | |
| echo "Unknown event name: ${{ github.event_name }}" | |
| exit 1 | |
| fi | |
| - name: Summary | |
| run: | | |
| echo "# Inputs Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "| Input | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| host | ${{ steps.set-host.outputs.host }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| dry_run | ${{ steps.set-dry-run.outputs.dry_run }} |" >> $GITHUB_STEP_SUMMARY | |
| ansible: | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| env: | |
| ANSIBLE_ROLES_PATH: ${{ github.workspace }}/ansible/roles | |
| ANSIBLE_COLLECTIONS_PATH: ${{ github.workspace }}/ansible/collections | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # Configure 1Password Service Account | |
| - name: Configure 1Password Service Account | |
| uses: 1Password/load-secrets-action/configure@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 | |
| with: | |
| service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| # Fetch TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET | |
| # from 1Password using load-secrets-action | |
| - name: Fetch Tailscale Secrets | |
| uses: 1Password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 | |
| id: fetch-tailscale-secrets | |
| with: | |
| export-env: false | |
| env: | |
| OAUTH_CLIENT_ID: op://Infrastructure/tailscale/github_actions/oauth_client_id | |
| OAUTH_CLIENT_SECRET: op://Infrastructure/tailscale/github_actions/oauth_client_secret | |
| - name: Setup Tailscale | |
| uses: tailscale/github-action@8688eb839e58e6b25c1ae96cd99d1c173299b842 # v3 | |
| with: | |
| version: ${{ env.TAILSCALE_VERSION }} | |
| oauth-client-id: ${{ steps.fetch-tailscale-secrets.outputs.OAUTH_CLIENT_ID }} | |
| oauth-secret: ${{ steps.fetch-tailscale-secrets.outputs.OAUTH_CLIENT_SECRET }} | |
| tags: tag:cicd | |
| - name: Disallow DNS configuration from Tailscale admin panel | |
| run: sudo tailscale set --accept-dns=false | |
| - name: Setup Taskfile | |
| uses: arduino/setup-task@v2 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Python | |
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: pip | |
| - name: Cache Ansible Roles | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 | |
| with: | |
| path: ${{ env.ANSIBLE_ROLES_PATH }} | |
| key: ${{ runner.os }}-ansible-roles-${{ hashFiles('ansible/requirements.yml') }} | |
| - name: Cache Ansible Collections | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 | |
| with: | |
| path: ${{ env.ANSIBLE_COLLECTIONS_PATH }} | |
| key: ${{ runner.os }}-ansible-collections-${{ hashFiles('ansible/requirements.yml') }} | |
| - name: Setup CICD | |
| run: task setup-cicd | |
| # Fetch ANSIBLE_VAULT_PASSWORD from 1Password using load-secrets-action | |
| - name: Fetch Ansible Vault Password | |
| uses: 1Password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2 | |
| id: fetch-ansible-vault-password | |
| with: | |
| export-env: false | |
| env: | |
| ANSIBLE_VAULT_PASSWORD: op://Infrastructure/ansible/vault/password | |
| # Loop through hosts | |
| - name: Run Ansible | |
| env: | |
| ANSIBLE_VAULT_PASSWORD: ${{ steps.fetch-ansible-vault-password.outputs.ANSIBLE_VAULT_PASSWORD }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "# Ansible CICD Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "Job: [${{ github.job }}]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/${{ github.run_id }})" >> $GITHUB_STEP_SUMMARY | |
| echo "| Host | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| FINAL_STATUS=0 | |
| # Create list of hosts to run Ansible for, splitting on , | |
| HOSTS=$(echo ${{ needs.setup.outputs.host }} | tr ',' ' ') | |
| for host in $HOSTS; do | |
| STATUS_EMOJI="" | |
| if ! ansible --list-hosts all | grep -q $host; then | |
| echo "$host is not an available host, skipping" | |
| continue | |
| fi | |
| echo ::group::Pinging $host | |
| HOST=$host task ansible-ping | |
| STATUS_PING=$? | |
| echo ::endgroup:: | |
| if [ $STATUS_PING -ne 0 ]; then | |
| STATUS_EMOJI=":warning:" | |
| echo "$host is unreachable, skipping" | |
| else | |
| echo ::group::Running Ansible for $host | |
| HOST=$host DRY_RUN=${{ needs.setup.outputs.dry_run }} task ansible | |
| STATUS=$? | |
| echo ::endgroup:: | |
| if [ $STATUS -ne 0 ]; then | |
| FINAL_STATUS=$STATUS | |
| fi | |
| if [ $STATUS -eq 0 ]; then | |
| STATUS_EMOJI=":white_check_mark:" | |
| else | |
| STATUS_EMOJI=":x:" | |
| fi | |
| fi | |
| echo "| $host | $STATUS_EMOJI |" >> $GITHUB_STEP_SUMMARY | |
| done | |
| if [ "${{ github.event_name }}" == "pull_request" ]; then | |
| gh pr comment ${{ github.event.pull_request.number }} --body "$(cat $GITHUB_STEP_SUMMARY)" | |
| fi | |
| exit $FINAL_STATUS | |
| - name: Tailscale Logout | |
| if: always() | |
| run: sudo tailscale logout |