Setup GH Action to create Self Hosted GH Runners on the STFC Cloud#3
Open
Setup GH Action to create Self Hosted GH Runners on the STFC Cloud#3
Conversation
Ziggiyzoo
commented
Jan 23, 2026
Contributor
Author
|
Documentation on the process https://github.com/isisbusapps/ISISBusApps/wiki/Deployment-of-Self-Hosted-Github-Action-Runners |
vovsike
approved these changes
Feb 18, 2026
vovsike
left a comment
vovsike
left a comment
There was a problem hiding this comment.
Looks good overall, a few comments there and there mainly to improve security around accidentally exposing secrets.
Also is it possible to make it so the number of runners made is configurable as an input param?
| @@ -0,0 +1,81 @@ | |||
| name: apply-sh-gh-runner-config | |||
There was a problem hiding this comment.
IS the name correct? Also it can be a bit more user friednly with spaces
Comment on lines
+55
to
+68
| - name: Setup SSH | ||
| env: | ||
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips}} | ||
| run: | | ||
| service ssh status | ||
| eval `ssh-agent -s` | ||
| mkdir -p ~/.ssh/ | ||
| touch ~/.ssh/config | ||
| touch ~/.ssh/id_rsa | ||
| echo -e "${{ secrets.FASE_SSH_KEY }}" > ~/.ssh/id_rsa | ||
| chmod 400 ~/.ssh/id_rsa | ||
| echo $VM_IPS >> ../ansible/hosts.txt | ||
| sed -i '$!s/$/,/' ../ansible/hosts.txt | ||
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts |
There was a problem hiding this comment.
Suggested change
| - name: Setup SSH | |
| env: | |
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips}} | |
| run: | | |
| service ssh status | |
| eval `ssh-agent -s` | |
| mkdir -p ~/.ssh/ | |
| touch ~/.ssh/config | |
| touch ~/.ssh/id_rsa | |
| echo -e "${{ secrets.FASE_SSH_KEY }}" > ~/.ssh/id_rsa | |
| chmod 400 ~/.ssh/id_rsa | |
| echo $VM_IPS >> ../ansible/hosts.txt | |
| sed -i '$!s/$/,/' ../ansible/hosts.txt | |
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts | |
| - name: Setup SSH | |
| env: | |
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips }} | |
| FASE_SSH_KEY: ${{ secrets.FASE_SSH_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "$FASE_SSH_KEY" > ~/.ssh/id_rsa | |
| chmod 400 ~/.ssh/id_rsa | |
| eval $(ssh-agent -s) | |
| ssh-add ~/.ssh/id_rsa | |
| echo "$VM_IPS" >> ../ansible/hosts.txt | |
| sed -i '$!s/$/,/' ../ansible/hosts.txt | |
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts |
There was a problem hiding this comment.
a bit cleaner version. Not sure why you needed config file as well if you never use it
Comment on lines
+70
to
+73
| - name: Run GitHub runner setup playbook # Include any environment variables needed | ||
| run: | | ||
| ansible-playbook --private-key ~/.ssh/id_rsa -u ${{ secrets.ANSIBLE_DEPLOY_USER }} -i ../ansible/hosts.ini ../ansible/create-gh-action-runners.yaml --extra-vars ACCESS_TOKEN=${{ secrets.ACCESS_TOKEN }} --extra-vars ORG=${{ github.repository_owner }} | ||
|
|
There was a problem hiding this comment.
Suggested change
| - name: Run GitHub runner setup playbook # Include any environment variables needed | |
| run: | | |
| ansible-playbook --private-key ~/.ssh/id_rsa -u ${{ secrets.ANSIBLE_DEPLOY_USER }} -i ../ansible/hosts.ini ../ansible/create-gh-action-runners.yaml --extra-vars ACCESS_TOKEN=${{ secrets.ACCESS_TOKEN }} --extra-vars ORG=${{ github.repository_owner }} | |
| - name: Run GitHub runner setup playbook | |
| env: | |
| ANSIBLE_DEPLOY_USER: ${{ secrets.ANSIBLE_DEPLOY_USER }} | |
| ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }} | |
| run: | | |
| cat > /tmp/extra_vars.yml << EOF | |
| ACCESS_TOKEN: "${ACCESS_TOKEN}" | |
| ORG: "${{ github.repository_owner }}" | |
| EOF | |
| ansible-playbook \ | |
| --private-key ~/.ssh/id_rsa \ | |
| -u "$ANSIBLE_DEPLOY_USER" \ | |
| -i ../ansible/hosts.ini \ | |
| ../ansible/create-gh-action-runners.yaml \ | |
| --extra-vars "@/tmp/extra_vars.yml" | |
| rm -f /tmp/extra_vars.yml | |
|
|
||
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 |
Comment on lines
+30
to
+45
| - name: Setup SSH | ||
| env: | ||
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips}} | ||
| run: | | ||
| service ssh status | ||
| eval `ssh-agent -s` | ||
| mkdir -p ~/.ssh/ | ||
| touch ~/.ssh/config | ||
| touch ~/.ssh/id_rsa | ||
| echo -e "${{ secrets.FASE_SSH_KEY }}" > ~/.ssh/id_rsa | ||
| chmod 400 ~/.ssh/id_rsa | ||
| echo [servers] > ../ansible/hosts.ini | ||
| cat hosts.txt >> ../ansible/hosts.ini | ||
| sed -i '$!s/$/,/' ../ansible/hosts.txt | ||
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts | ||
|
|
There was a problem hiding this comment.
Suggested change
| - name: Setup SSH | |
| env: | |
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips}} | |
| run: | | |
| service ssh status | |
| eval `ssh-agent -s` | |
| mkdir -p ~/.ssh/ | |
| touch ~/.ssh/config | |
| touch ~/.ssh/id_rsa | |
| echo -e "${{ secrets.FASE_SSH_KEY }}" > ~/.ssh/id_rsa | |
| chmod 400 ~/.ssh/id_rsa | |
| echo [servers] > ../ansible/hosts.ini | |
| cat hosts.txt >> ../ansible/hosts.ini | |
| sed -i '$!s/$/,/' ../ansible/hosts.txt | |
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts | |
| - name: Setup SSH | |
| env: | |
| VM_IPS: ${{ steps.export.outputs.check-vms.vm_ips }} | |
| FASE_SSH_KEY: ${{ secrets.FASE_SSH_KEY }} | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "$FASE_SSH_KEY" > ~/.ssh/id_rsa | |
| chmod 400 ~/.ssh/id_rsa | |
| eval $(ssh-agent -s) | |
| ssh-add ~/.ssh/id_rsa | |
| echo [servers] > ../ansible/hosts.ini | |
| cat hosts.txt >> ../ansible/hosts.ini | |
| sed -i '$!s/$/,/' ../ansible/hosts.txt | |
| ssh-keyscan -f ../ansible/hosts.txt >> ~/.ssh/known_hosts | |
There was a problem hiding this comment.
Same as the other one, I think they were very similar apart from the hosts file
Comment on lines
+50
to
+52
| - name: Run GitHub runner setup playbook # Include any environment variables needed | ||
| run: | | ||
| ansible-playbook --private-key ~/.ssh/id_rsa -i ../ansible/hosts.ini ../ansible/destroy-gh-action-runners.yaml --extra-vars ACCESS_TOKEN=${{ secrets.ACCESS_TOKEN }} --extra-vars ORG=${{ github.repository_owner }} |
There was a problem hiding this comment.
Probably just format the same way I have suggested above
Comment on lines
+1
to
+6
| [servers] | ||
| 172.16.112.246 | ||
| 172.16.103.56 | ||
| 172.16.113.51 | ||
| 172.16.102.102 | ||
| 172.16.101.227 |
There was a problem hiding this comment.
are these mean to be here? and if so will they stay static? It looks like new runners will just get new IPs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes: #1
Use Terraform & ansible to create a VMs for Self Hosted GitHub Action Runners