shithub Public

Watch 1 Fork 0 Star 0

markdown · 1960 bytes Raw Blame History

DigitalOcean runner pool helpers

These scripts are the S41j operator path for creating shithub Actions runner hosts without using the DigitalOcean dashboard.

They create only infrastructure. They do not generate, store, or print runner registration tokens.

Provision a pool

SSH_KEY_NAME=macbook-pro \
SSH_ALLOWED_CIDRS=203.0.113.4/32 \
./deploy/doctl/provision-actions-runner-pool.sh --dry-run

SSH_KEY_NAME=macbook-pro \
SSH_ALLOWED_CIDRS=203.0.113.4/32 \
./deploy/doctl/provision-actions-runner-pool.sh

Defaults:

pool: shared-linux
project: shithub-prod
region: sfo3
size: s-2vcpu-4gb
image: ubuntu-24-04-x64
tag: shithub-actions-runner
cloud-init: deploy/doctl/actions-runner-cloud-init.yaml

SSH_ALLOWED_CIDRS must be one or more operator/VPN CIDRs. The provisioner refuses 0.0.0.0/0 and ::/0 for SSH.

Generate inventory

./deploy/doctl/generate-actions-runner-inventory.sh \
  --output deploy/ansible/inventory/actions-runners

Replace the generated token placeholders with per-host values from shithubd admin runner register, preferably through ansible-vault or host_vars. Generate one token per runner host:

shithubd admin runner register \
  --name actions-runner-1 \
  --labels self-hosted,linux,ubuntu-latest,x64 \
  --capacity 1 \
  --output json

Store the returned token in inventory/vault, not in shell history. Rotate by registering a replacement token, deploying it to the host, confirming heartbeat, then revoking the old runner token. Use --expires-in only when that rotation is automated before the token expires.

Then run:

make build
cd deploy/ansible
ansible-playbook -i inventory/actions-runners site.yml -t shithubd-runner

Destroy a test pool

List runner droplets:

doctl compute droplet list --tag-name shithub-actions-runner

Delete specific test droplets by ID or name only after draining/revoking the runner in shithub.

View source

  
        1
        # DigitalOcean runner pool helpers
      
        2
        
        3
        These scripts are the S41j operator path for creating shithub Actions runner
      
        4
        hosts without using the DigitalOcean dashboard.
      
        5
        
        6
        They create only infrastructure. They do not generate, store, or print runner
      
        7
        registration tokens.
      
        8
        
        9
        ## Provision a pool
      
        10
        
        11
        ```sh
      
        12
        SSH_KEY_NAME=macbook-pro \
      
        13
        SSH_ALLOWED_CIDRS=203.0.113.4/32 \
      
        14
        ./deploy/doctl/provision-actions-runner-pool.sh --dry-run
      
        15
        
        16
        SSH_KEY_NAME=macbook-pro \
      
        17
        SSH_ALLOWED_CIDRS=203.0.113.4/32 \
      
        18
        ./deploy/doctl/provision-actions-runner-pool.sh
      
        19
        ```
      
        20
        
        21
        Defaults:
      
        22
        
        23
        - pool: `shared-linux`
      
        24
        - project: `shithub-prod`
      
        25
        - region: `sfo3`
      
        26
        - size: `s-2vcpu-4gb`
      
        27
        - image: `ubuntu-24-04-x64`
      
        28
        - tag: `shithub-actions-runner`
      
        29
        - cloud-init: `deploy/doctl/actions-runner-cloud-init.yaml`
      
        30
        
        31
        `SSH_ALLOWED_CIDRS` must be one or more operator/VPN CIDRs. The provisioner
      
        32
        refuses `0.0.0.0/0` and `::/0` for SSH.
      
        33
        
        34
        ## Generate inventory
      
        35
        
        36
        ```sh
      
        37
        ./deploy/doctl/generate-actions-runner-inventory.sh \
      
        38
          --output deploy/ansible/inventory/actions-runners
      
        39
        ```
      
        40
        
        41
        Replace the generated token placeholders with per-host values from
      
        42
        `shithubd admin runner register`, preferably through ansible-vault or host_vars.
      
        43
        Generate one token per runner host:
      
        44
        
        45
        ```sh
      
        46
        shithubd admin runner register \
      
        47
          --name actions-runner-1 \
      
        48
          --labels self-hosted,linux,ubuntu-latest,x64 \
      
        49
          --capacity 1 \
      
        50
          --output json
      
        51
        ```
      
        52
        
        53
        Store the returned `token` in inventory/vault, not in shell history. Rotate by
      
        54
        registering a replacement token, deploying it to the host, confirming heartbeat,
      
        55
        then revoking the old runner token.
      
        56
        Use `--expires-in` only when that rotation is automated before the token
      
        57
        expires.
      
        58
        
        59
        Then run:
      
        60
        
        61
        ```sh
      
        62
        make build
      
        63
        cd deploy/ansible
      
        64
        ansible-playbook -i inventory/actions-runners site.yml -t shithubd-runner
      
        65
        ```
      
        66
        
        67
        ## Destroy a test pool
      
        68
        
        69
        List runner droplets:
      
        70
        
        71
        ```sh
      
        72
        doctl compute droplet list --tag-name shithub-actions-runner
      
        73
        ```
      
        74
        
        75
        Delete specific test droplets by ID or name only after draining/revoking the
      
        76
        runner in shithub.

1	# DigitalOcean runner pool helpers
2
3	These scripts are the S41j operator path for creating shithub Actions runner
4	hosts without using the DigitalOcean dashboard.
5
6	They create only infrastructure. They do not generate, store, or print runner
7	registration tokens.
8
9	## Provision a pool
10
11	```sh
12	SSH_KEY_NAME=macbook-pro \
13	SSH_ALLOWED_CIDRS=203.0.113.4/32 \
14	./deploy/doctl/provision-actions-runner-pool.sh --dry-run
15
16	SSH_KEY_NAME=macbook-pro \
17	SSH_ALLOWED_CIDRS=203.0.113.4/32 \
18	./deploy/doctl/provision-actions-runner-pool.sh
19	```
20
21	Defaults:
22
23	- pool: `shared-linux`
24	- project: `shithub-prod`
25	- region: `sfo3`
26	- size: `s-2vcpu-4gb`
27	- image: `ubuntu-24-04-x64`
28	- tag: `shithub-actions-runner`
29	- cloud-init: `deploy/doctl/actions-runner-cloud-init.yaml`
30
31	`SSH_ALLOWED_CIDRS` must be one or more operator/VPN CIDRs. The provisioner
32	refuses `0.0.0.0/0` and `::/0` for SSH.
33
34	## Generate inventory
35
36	```sh
37	./deploy/doctl/generate-actions-runner-inventory.sh \
38	--output deploy/ansible/inventory/actions-runners
39	```
40
41	Replace the generated token placeholders with per-host values from
42	`shithubd admin runner register`, preferably through ansible-vault or host_vars.
43	Generate one token per runner host:
44
45	```sh
46	shithubd admin runner register \
47	--name actions-runner-1 \
48	--labels self-hosted,linux,ubuntu-latest,x64 \
49	--capacity 1 \
50	--output json
51	```
52
53	Store the returned `token` in inventory/vault, not in shell history. Rotate by
54	registering a replacement token, deploying it to the host, confirming heartbeat,
55	then revoking the old runner token.
56	Use `--expires-in` only when that rotation is automated before the token
57	expires.
58
59	Then run:
60
61	```sh
62	make build
63	cd deploy/ansible
64	ansible-playbook -i inventory/actions-runners site.yml -t shithubd-runner
65	```
66
67	## Destroy a test pool
68
69	List runner droplets:
70
71	```sh
72	doctl compute droplet list --tag-name shithub-actions-runner
73	```
74
75	Delete specific test droplets by ID or name only after draining/revoking the
76	runner in shithub.