red_alert/act-runner-gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6982bcf37202acb50b62df1941bd1d838bc3a4d1
act-runner-gitea/roles/act_runner/tasks/binary.yml
Mark 6982bcf372
Some checks failed
Ansible Lint / Ansible Lint Check (push) Has been cancelled
Details
Initial commit: Ansible playbook for Gitea Act Runner deployment 
Automated deployment of act_runner on Ubuntu 20.04+ servers:
- Docker CE installation (DEB822 format)
- Node.js 24.x via NodeSource
- act_runner binary with SHA256 verification
- systemd service with security hardening
- CI: ansible-lint via Gitea Actions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 16:01:06 +01:00

89 lines
3.0 KiB
YAML
Raw Blame History

---
# =============================================================================
# Gitea Act Runner - Binary Installation
# =============================================================================
#
# Downloads and installs the act_runner binary from:
# https://dl.gitea.com/act_runner/
#
# Security: Binary integrity is verified via SHA256 checksum.
#
# =============================================================================
# Construct download URLs based on version and architecture.
- name: Set act_runner download URLs
ansible.builtin.set_fact:
act_runner_download_url: >-
https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}
act_runner_checksum_url: >-
https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}.sha256
# Download the act_runner binary to a temporary location.
- name: Download act_runner binary
ansible.builtin.get_url:
url: "{{ act_runner_download_url }}"
dest: /tmp/act_runner
mode: '0755'
# Download checksum file for verification (when enabled).
- name: Download act_runner checksum
ansible.builtin.get_url:
url: "{{ act_runner_checksum_url }}"
dest: /tmp/act_runner.sha256
mode: '0644'
when: act_runner_verify_checksum
# Read the expected checksum from the downloaded file.
- name: Read expected checksum
ansible.builtin.slurp:
src: /tmp/act_runner.sha256
register: act_runner_expected_checksum_file
when: act_runner_verify_checksum
# Parse the checksum (format: "checksum filename").
- name: Parse expected checksum
ansible.builtin.set_fact:
act_runner_expected_checksum: "{{ (act_runner_expected_checksum_file.content | b64decode).split()[0] }}"
when: act_runner_verify_checksum
# Calculate actual checksum of downloaded binary.
- name: Calculate actual checksum
ansible.builtin.stat:
path: /tmp/act_runner
checksum_algorithm: sha256
register: act_runner_actual_checksum
when: act_runner_verify_checksum
# Verify checksums match (fail if tampered).
- name: Verify checksum matches
ansible.builtin.assert:
that:
- act_runner_actual_checksum.stat.checksum == act_runner_expected_checksum
fail_msg: >-
Checksum verification FAILED!
Expected: {{ act_runner_expected_checksum }}
Actual: {{ act_runner_actual_checksum.stat.checksum }}
The downloaded binary may have been tampered with.
success_msg: "Checksum verified: {{ act_runner_expected_checksum }}"
when: act_runner_verify_checksum
# Install binary to final location.
- name: Install act_runner binary
ansible.builtin.copy:
src: /tmp/act_runner
dest: "{{ act_runner_bin_path }}"
remote_src: true
owner: root
group: root
mode: '0755'
notify: Restart act_runner
# Clean up temporary files.
- name: Clean up temporary files
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/act_runner
- /tmp/act_runner.sha256
Reference in New Issue View Git Blame Copy Permalink