Skip to content

Add secret store unseal playbook for action runners #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 11, 2025
Merged

Add secret store unseal playbook for action runners #1969

merged 2 commits into from
Nov 11, 2025

Conversation

@seunghun1ee
Copy link
Member

@seunghun1ee seunghun1ee commented Nov 5, 2025

When CI action runners are rebooted, their secret store needs to be unsealed.
Added unsealing playbook for them.

@seunghun1ee seunghun1ee self-assigned this Nov 5, 2025
@seunghun1ee seunghun1ee requested a review from a team as a code owner November 5, 2025 11:57
@seunghun1ee seunghun1ee added Epoxy ansible Ansible playbooks labels Nov 5, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 5, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new Ansible playbook for unsealing the secret store on CI action runners, which is a necessary step after they are rebooted. The playbook is clear and follows existing patterns within the project. My review includes a couple of suggestions to improve maintainability and idempotency. One suggestion is to change the pip package state from latest to present to ensure predictable behavior. The other is a recommendation to refactor common tasks into a shared role to avoid code duplication with other similar playbooks.

Alex-Welsh
Alex-Welsh reviewed Nov 10, 2025
View reviewed changes
Copy link
Member

@Alex-Welsh Alex-Welsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a reno

Given how similar this and the other secret-store-unseal-*.yml playbooks are, we should probably just extend the vault_unseal role to reduce duplication a bit.

That's scope creep though, and I'm happy to do it this way for now.

@seunghun1ee
Add secret store unseal playbook for action runners
6cfde3e 
When CI action runners are rebooted, their secret store needs to be
unsealed.
Added unsealing playbook for them.
@seunghun1ee seunghun1ee force-pushed the add-secret-store-unseal-runners branch from 1e33d76 to 6cfde3e Compare November 10, 2025 15:08
Alex-Welsh
Alex-Welsh reviewed Nov 10, 2025
View reviewed changes
Copy link
Member

@Alex-Welsh Alex-Welsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more general thought, should we just run this every time we trigger CI?

@seunghun1ee @Alex-Welsh
Fix reno typo
3acdd68 
Co-authored-by: Alex Welsh <[email protected]>
@seunghun1ee
Copy link
Member Author

seunghun1ee commented Nov 11, 2025

I don't know... Maybe?

@seunghun1ee
Copy link
Member Author

seunghun1ee commented Nov 11, 2025

Well even if we want to run this every time we run CI, I think that needs to be done via separate PR.

@Alex-Welsh Alex-Welsh enabled auto-merge (rebase) November 11, 2025 10:18
@Alex-Welsh Alex-Welsh disabled auto-merge November 11, 2025 10:18
@Alex-Welsh Alex-Welsh enabled auto-merge (squash) November 11, 2025 10:18
@Alex-Welsh Alex-Welsh merged commit 2fb52e5 into stackhpc/2025.1 Nov 11, 2025
22 checks passed
@Alex-Welsh Alex-Welsh deleted the add-secret-store-unseal-runners branch November 11, 2025 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alex-Welsh Alex-Welsh Alex-Welsh approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@seunghun1ee seunghun1ee

Labels

ansible Ansible playbooks Epoxy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seunghun1ee @Alex-Welsh