nult/roles/act_runner/tasks/binary.yml

---
# =============================================================================
# Gitea Act Runner - Binary Installation
# =============================================================================
#
# Downloads and installs the act_runner binary from:
# https://dl.gitea.com/act_runner/
#
# Security: Binary integrity is verified via SHA256 checksum.
#
# =============================================================================

# Construct download URLs based on version and architecture.
- name: Set act_runner download URLs
  ansible.builtin.set_fact:
    act_runner_download_url: >-
      https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}
    act_runner_checksum_url: >-
      https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}.sha256

# Download the act_runner binary to a temporary location.
- name: Download act_runner binary
  ansible.builtin.get_url:
    url: "{{ act_runner_download_url }}"
    dest: /tmp/act_runner
    mode: '0755'

# Download checksum file for verification (when enabled).
- name: Download act_runner checksum
  ansible.builtin.get_url:
    url: "{{ act_runner_checksum_url }}"
    dest: /tmp/act_runner.sha256
    mode: '0644'
  when: act_runner_verify_checksum

# Read the expected checksum from the downloaded file.
- name: Read expected checksum
  ansible.builtin.slurp:
    src: /tmp/act_runner.sha256
  register: act_runner_expected_checksum_file
  when: act_runner_verify_checksum

# Parse the checksum (format: "checksum  filename").
- name: Parse expected checksum
  ansible.builtin.set_fact:
    act_runner_expected_checksum: "{{ (act_runner_expected_checksum_file.content | b64decode).split()[0] }}"
  when: act_runner_verify_checksum

# Calculate actual checksum of downloaded binary.
- name: Calculate actual checksum
  ansible.builtin.stat:
    path: /tmp/act_runner
    checksum_algorithm: sha256
  register: act_runner_actual_checksum
  when: act_runner_verify_checksum

# Verify checksums match (fail if tampered).
- name: Verify checksum matches
  ansible.builtin.assert:
    that:
      - act_runner_actual_checksum.stat.checksum == act_runner_expected_checksum
    fail_msg: >-
      Checksum verification FAILED!
      Expected: {{ act_runner_expected_checksum }}
      Actual: {{ act_runner_actual_checksum.stat.checksum }}
      The downloaded binary may have been tampered with.
    success_msg: "Checksum verified: {{ act_runner_expected_checksum }}"
  when: act_runner_verify_checksum

# Install binary to final location.
- name: Install act_runner binary
  ansible.builtin.copy:
    src: /tmp/act_runner
    dest: "{{ act_runner_bin_path }}"
    remote_src: true
    owner: root
    group: root
    mode: '0755'
  notify: Restart act_runner

# Clean up temporary files.
- name: Clean up temporary files
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /tmp/act_runner
    - /tmp/act_runner.sha256