This repo can run disposable Rancher alpha sign-off lanes in GitHub
Actions while still keeping local tool-config.yml usage unchanged.
The GitHub Actions path is intentionally environment-gated:
automation-bootstrapcreates or updates the Terraform state backend.rancher-signoffprovisions Rancher, optional Linode downstreams, optional directrancher/testssuite runs, writes compact receipts, and cleans up.
Do not put cloud credentials, Rancher tokens, kubeconfigs, or generated .env
files in GitHub variables, logs, reports, or artifacts.
Create these GitHub environments under repository settings.
| Environment | Purpose | Recommended protection |
|---|---|---|
automation-bootstrap |
One-time S3/DynamoDB state backend bootstrap. | Required reviewers. |
rancher-signoff |
Live AWS/Linode Rancher sign-off lanes. | Required reviewers. |
automation-bootstrap needs one secret:
| Secret | Required | Purpose |
|---|---|---|
AWS_BOOTSTRAP_ROLE_ARN |
yes | AWS OIDC role that can create/update the S3 state bucket and DynamoDB lock table. |
Run .github/workflows/bootstrap-terraform-state.yml first with apply=false.
After reviewing the plan, run it again with apply=true.
The apply run writes a non-secret terraform-backend-env artifact and step
summary:
TF_STATE_BUCKET=...
TF_STATE_LOCK_TABLE=...
TF_STATE_REGION=...Copy those values into rancher-signoff environment variables. Bucket and
table names are not credentials, but they are visible to anyone who can view
workflow logs/artifacts for this repository.
rancher-signoff secrets:
| Secret | Required | Purpose |
|---|---|---|
AWS_AUTOMATION_ROLE_ARN |
yes | AWS OIDC role used by live sign-off lanes. |
RANCHER_BOOTSTRAP_PASSWORD |
yes | Initial Rancher admin password rendered into generated tool-config.yml. |
LINODE_TOKEN |
yes for downstream lanes | Linode token used by Rancher to create the disposable downstream K3s node. |
DOCKERHUB_USERNAME |
optional | Docker Hub auth for RKE2 pulls when needed. |
DOCKERHUB_PASSWORD |
optional | Docker Hub auth for RKE2 pulls when needed. |
| The workflow masks repository secrets, generated Rancher admin tokens, and the | ||
| generated Linode root password before noisy provisioning steps. |
rancher-signoff variables:
| Variable | Required | Purpose |
|---|---|---|
TF_STATE_BUCKET |
yes | S3 bucket from bootstrap output. |
TF_STATE_LOCK_TABLE |
yes | DynamoDB lock table from bootstrap output. |
TF_STATE_REGION |
yes | AWS region for the Terraform backend. |
AWS_REGION |
yes | AWS region for Rancher infrastructure. |
AWS_VPC |
yes | Existing VPC ID. |
AWS_SUBNET_A |
yes | Existing subnet for infrastructure node/security wiring. |
AWS_SUBNET_B |
yes | Existing subnet for infrastructure node/security wiring. |
AWS_SUBNET_C |
yes | Existing subnet for infrastructure node/security wiring. |
AWS_AMI |
yes | AMI used by Rancher infrastructure nodes. |
AWS_SUBNET_ID |
yes | Subnet ID used by EC2 instances. |
AWS_SECURITY_GROUP_ID |
yes | Security group ID used by EC2 instances. |
AWS_PEM_KEY_NAME |
yes | Existing EC2 key pair name expected by the Terraform module. |
AWS_ROUTE53_FQDN |
yes | Route53 zone/domain suffix used for Rancher DNS records. |
AWS_PREFIX |
recommended | Owner/base prefix included in generated sign-off resource names, for example atb produces gha-atb-23456789-wu. |
OWNER_FIRST_NAME |
yes | First name used in AWS Owner tags. |
OWNER_LAST_NAME |
yes | Last name used in AWS Owner tags. |
RANCHER_TESTS_REF |
optional | Ref to clone from https://github.com/rancher/tests.git; defaults to main. |
RANCHER_TEST_SUITE_SETTLE_SECONDS |
optional | Pause between direct rancher/tests suites; defaults to 30. |
| Workflow | Creates cloud resources | Notes |
|---|---|---|
signoff-plan.yml |
no, but it can dispatch the runner | Manual plan generation from signoff-targets.json or a single input version. Dispatch skips lanes already active or already successful on the current branch unless rerun_successful_lanes=true. |
bootstrap-terraform-state.yml |
yes, only when apply=true |
Creates or updates the persistent S3/DynamoDB backend. |
run-rancher-signoff-lane.yml |
yes | Runs one Rancher sign-off lane, optionally with Linode downstreams and direct rancher/tests suite runs, then cleans up. |
After environments, secrets, and variables are configured:
- Run
Plan Rancher Sign-Offmanually for a known alpha, for examplev2.13.5-alpha5, withdispatch_runs=false. - Run
Run Rancher Sign-Off Lanewith:rancher_version:v2.13.5-alpha5lane:framework-regressionkeep_infra_on_failure:falserun_rancher_tests:false
- Confirm the run provisions Rancher, waits for readiness, renders a report, uploads a compact JSON receipt, and destroys AWS infrastructure.
- Next, run
webhook-fresh-installwithrun_rancher_tests=falseto prove the single-node Linode downstream and downstream cleanup. - After those are clean, enable
run_rancher_tests=trueto clonehttps://github.com/rancher/tests.gitand run the lane's suites in the same workflow job. Theframework-regressionlane runs framework regression plus VAI disabled for Rancher 2.11 and older and VAI enabled for Rancher 2.12 and newer. Downstream webhook lanes run webhook security settings for Rancher 2.14 and newer when the actual Rancher chart should contain those settings. - For normal use, edit
signoff-targets.jsonwith the alpha versions you care about and runPlan Rancher Sign-Offmanually withdispatch_runs=true.
Use signoff-targets.json as the source of truth for manually selected targets:
{
"targets": [
{
"rancher_version": "v2.14.1-alpha7"
}
]
}To keep a target in the file without planning it, set enabled to false.
Use keep_infra_on_failure=true only for manual debugging. It can leave AWS and
Linode resources running.
The sign-off workflow uploads one compact JSON receipt per lane. The receipt
keeps operational recovery fields such as terraform_state_key and aws_prefix
but omits live Rancher URLs, kubeconfigs, generated environment files, raw
Terraform outputs, and copied logs.
It does not upload:
- generated suite
.envfiles - Rancher admin tokens
- kubeconfigs
- Terraform state files
- AWS credentials
- Linode tokens
Normal sign-off runs clean up automatically when keep_infra_on_failure=false.