bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gitea-actions: add ARM/Python CI deps and SSH bind-mount for submodule clones

Browse Source 
- Containerfile.ci: add python3-yaml + python3-jinja2 and the
  gcc-arm-none-eabi / binutils / libnewlib toolchain for embedded builds
- bind-mount the runner's SSH key + known_hosts read-only into each job
  container at /root/.ssh so submodule clones over
  ssh://git@git.skudak.com:2222 succeed; staged as a dedicated
  container_file_t-labelled ci-ssh copy (tasks/user.yml) and allowlisted
  via valid_volumes (config.yaml.j2)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Bastian de Byl
2026-06-13 22:14:08 -04:00
parent 7d4a398bba
commit a30ff9b165
3 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ansible/roles/gitea-actions/tasks/user.yml
+47
View File
@@ -69,3 +69,50 @@
group: "{{ gitea_runner_user }}"
mode: "0644"
tags: gitea-actions
# CI jobs run in ephemeral rootless-podman containers that don't inherit the
# gitea-runner user's ~/.ssh. Stage a dedicated, SELinux-labelled copy of the
# runner's key + known_hosts and bind-mount it read-only into every job
# container at /root/.ssh (see config.yaml.j2) so submodule clones over
# ssh://git@git.skudak.com:2222 work. Kept separate from ~/.ssh so the real
# directory's label is never touched.
- name: create ci-ssh dir for job-container mount
become: true
ansible.builtin.file:
path: "{{ gitea_runner_home }}/ci-ssh"
state: directory
owner: "{{ gitea_runner_user }}"
group: "{{ gitea_runner_user }}"
mode: "0700"
tags: gitea-actions
- name: stage runner ssh material into ci-ssh
become: true
ansible.builtin.copy:
src: "{{ gitea_runner_home }}/.ssh/{{ item.name }}"
dest: "{{ gitea_runner_home }}/ci-ssh/{{ item.name }}"
remote_src: true
owner: "{{ gitea_runner_user }}"
group: "{{ gitea_runner_user }}"
mode: "{{ item.mode }}"
loop:
- { name: id_ed25519, mode: "0600" }
- { name: known_hosts, mode: "0644" }
notify: restart act_runner services
tags: gitea-actions
- name: label ci-ssh as container_file_t so job containers can read it
become: true
community.general.sefcontext:
target: "{{ gitea_runner_home }}/ci-ssh(/.*)?"
setype: container_file_t
state: present
register: ci_ssh_sefcontext
tags: gitea-actions
- name: apply selinux label to ci-ssh
become: true
ansible.builtin.command: restorecon -RF {{ gitea_runner_home }}/ci-ssh
when: ci_ssh_sefcontext is changed
changed_when: true
tags: gitea-actions