ansible-deploy-role/action.yml

---
name: run-ansible-deploy
description: Run a play using ansible-playbook.
author: Michael Sasser <info@michaelsasser.org>

branding:
  icon: shield
  color: blue

inputs:
  playbook_repository:
    description: The repository that contains the playbook
    required: true

  config_file:
    description: The path to the ansible config file
    default: ""
    required: false

  cache_dependencies:
    description: Cache the dependencies from the requirement file
    default: "false"
    required: false

  use_ansible_runner:
    description: Use ansible-runner instead of ansible-playbook
    default: "false"
    required: false

  #
  # Secrets
  #
  PERSONAL_ACCESS_TOKEN:
    description: A personal access token that allows this workflow to pull the playbook repository.
    required: true

  ANSIBLE_VAULT_PASSWORD:
    description: The vault token/password for ansible vault.
    required: true

  ANSIBLE_SSH_PRIVATE_KEY:
    description: A SSH private key to deploy the playbook with the role
    required: true

runs:
  using: composite
  steps:
    - name: Prepare Ansible Role Name
      id: get-role-info
      shell: bash
      run: |
        echo "gitea.event.repository.name = ${{ gitea.event.repository.name }}"
        echo "GITHUB_REPOSITORY = ${GITHUB_REPOSITORY}"
        if [ -n '${{ gitea.event.repository.name }}' ]; then
          ROLE_NAME=$(echo ${{ gitea.event.repository.name }} | sed 's/ansible-role-//g')
        else
          ROLE_NAME=$(echo "${GITHUB_REPOSITORY}" | sed 's/.*\/ansible-role-//g')
        fi
        echo "::set-output name=role_name::$ROLE_NAME"

        echo "gitea.repository = ${{ gitea.repository }}"
        echo "inputs.config_file = ${{ inputs.config_file }}"
        CONFIG_FILE='/workspace/${{ gitea.repository }}/ansible.cfg'
        if [ -n '${{ inputs.config_file }}' ]; then
          CONFIG_FILE='${{ inputs.config_file }}'
        fi
        echo "::set-output name=config_file::$CONFIG_FILE"

    # Clone Playbook
    - name: Checkout the Ansible Playbook
      uses: https://git.michaelsasser.org/actions/checkout@v4
      with:
        ref: refs/heads/main
        repository: "${{ inputs.playbook_repository }}"
        path: /workspace/${{ gitea.repository }}
        token: ${{ inputs.PERSONAL_ACCESS_TOKEN }}

    # Clone Role
    - name: Checkout this Ansible Role
      uses: https://git.michaelsasser.org/actions/checkout@v4
      with:
        path: "/workspace/${{ gitea.repository }}/plays/roles/michaelsasser.${{ steps.get-role-info.outputs.role_name }}"
        token: ${{ inputs.PERSONAL_ACCESS_TOKEN }}

    # Setup SSH
    - name: Setup SSH
      shell: bash
      run: |
        eval `ssh-agent -s`
        mkdir -p /home/runner/.ssh/
        touch /home/runner/.ssh/id_rsa
        echo -e "${{ inputs.ANSIBLE_SSH_PRIVATE_KEY }}" > /home/runner/.ssh/id_ed25519
        chmod 700 /home/runner/.ssh/id_ed25519

    # Check if dependencies must be installed before running the playbook
    - name: Check if the role has dependencies
      id: get-role-has-dependencies
      shell: bash
      run: |
        if test -f "/workspace/${{ gitea.repository }}/plays/roles/michaelsasser.${{ steps.get-role-info.outputs.role_name }}/meta/requirements.yml"; then
          echo "::set-output name=role_has_dependencies::true"
        else
          echo "::set-output name=role_has_dependencies::false"
        fi

    # Workaround for `hashFiles`, which is currently not supported by gitea
    - name: Generate Galaxy Cache
      if: ${{ steps.get-role-has-dependencies.outputs.role_has_dependencies == 'true' && inputs.cache_dependencies == 'true' }}
      uses: https://git.michaelsasser.org/actions/hashfiles@v0.0.1
      id: ansible-galaxy-hash
      with:
        patterns: |-
          **/meta/requirements.yml

    # Setup Ansible Galaxy Cache
    - name: Cache Ansible Galaxy
      if: ${{ steps.get-role-has-dependencies.outputs.role_has_dependencies == 'true' && inputs.cache_dependencies == 'true'}}
      uses: https://git.michaelsasser.org/actions/cache@v4
      with:
        path: |
          ~/.ansible/collections/
          ~/.ansible/roles/
          roles/
        key: ansible-galaxy-${{ steps.ansible-galaxy-hash.outputs.hash }}

    # Run Ansible
    - name: Run Ansible Playbook
      shell: bash
      run: |
        EE_REQUIREMENTS_PIP='/workspace/${{ gitea.repository }}/plays/roles/michaelsasser.${{ steps.get-role-info.outputs.role_name }}/meta/ee-requirements.txt'

        # Only install dependencies if there are some
        if [ '${{ steps.get-role-has-dependencies.outputs.role_has_dependencies }}' = 'true' ]; then 
          ansible-galaxy install -r '/workspace/${{ gitea.repository }}/plays/roles/michaelsasser.${{ steps.get-role-info.outputs.role_name }}/meta/requirements.yml'
        fi


        if [ '${{ inputs.use_ansible_runner }}' = 'true' ]; then
          ansible-runner --version
          ansible-runner run --playbook '/workspace/${{ gitea.repository }}/plays/${{ steps.get-role-info.outputs.role_name }}.yml' --inventory '/workspace/${{ gitea.repository }}/inventory/hosts.yml' --cmdline '--private-key /home/runner/.ssh/id_ed25519' '/workspace/${{ gitea.repository }}'
        else
          # Install pip dependencies
          if [ -f "${EE_REQUIREMENTS_PIP}" ]; then
            pip install --no-cache-dir --break-system-packages --root-user-action=ignore -r "${EE_REQUIREMENTS_PIP}"
          fi

          ansible-playbook --version
          ansible-playbook --private-key '/home/runner/.ssh/id_ed25519' -i '/workspace/${{ gitea.repository }}/inventory/hosts.yml' '/workspace/${{ gitea.repository }}/plays/${{ steps.get-role-info.outputs.role_name }}.yml'
        fi
      env:
        VAULT_SECRET: ${{ inputs.ANSIBLE_VAULT_PASSWORD }}
        ANSIBLE_CONFIG: ${{ steps.get-role-info.outputs.config_file }}
        ANSIBLE_HOST_KEY_CHECKING: "false"
        ANSIBLE_DEPRECATION_WARNINGS: "false"