hyperi-developer/ansible/roles/developer/tasks/git.yml at cc87f823aecf39fc622bf198d43976935107ca54 · hyperi-io/hyperi-developer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
# Git and version control tools installation

# ============================================================================
# FEDORA - Git from base repos (Fedora 42+ has recent git)
# ============================================================================

- name: Install latest Git (Fedora)
  ansible.builtin.dnf:
    name:
      - git
      - git-lfs
      - git-filter-repo
    state: latest
  when: ansible_facts['distribution'] == 'Fedora'

# ============================================================================
# UBUNTU - Latest Git from PPA
# ============================================================================
# The git-core PPA signs with two keys:
#   E1DD270288B4E6030699E45FA1715D88E1DF1F24 (RSA-1024, legacy)
#   E363C90F8F1B6217 (newer key)
# Ubuntu 25.04+ rejects the RSA-1024 key. We import both keys into a binary
# keyring so apt can verify against whichever key the PPA uses.

# Clean up old PPA configuration if exists (migration from legacy method)
- name: Remove old git-core PPA configuration
  ansible.builtin.file:
    path: "/etc/apt/sources.list.d/{{ item }}"
    state: absent
  loop:
    - git-core-ubuntu-ppa-noble.list
    - git-core-ubuntu-ppa-jammy.list
    - ppa_git_core_ppa.list
  when: ansible_facts['distribution'] == 'Ubuntu'

- name: Remove old git-core PPA ASC key (replaced by binary keyring)
  ansible.builtin.file:
    path: /etc/apt/keyrings/git-core-ppa.asc
    state: absent
  when: ansible_facts['distribution'] == 'Ubuntu'

- name: Install latest Git via PPA (Ubuntu)
  block:
    - name: Import git-core PPA GPG keys via HTTP (more reliable than keyserver)
      ansible.builtin.shell:
        cmd: |
          set -euo pipefail
          mkdir -p /etc/apt/keyrings
          export GNUPGHOME=$(mktemp -d)
          trap 'rm -rf "$GNUPGHOME"' EXIT
          # Fetch keys via HTTP export (keyserver.ubuntu.com gpg protocol is unreliable)
          for KEY_ID in E1DD270288B4E6030699E45FA1715D88E1DF1F24 E363C90F8F1B6217; do
            curl -fsSL "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${KEY_ID}" \
              | gpg --batch --import 2>/dev/null || true
          done
          gpg --batch --export \
            E1DD270288B4E6030699E45FA1715D88E1DF1F24 \
            E363C90F8F1B6217 \
            > /etc/apt/keyrings/git-core-ppa.gpg
          # Verify we actually got keys (file should be >0 bytes)
          [ -s /etc/apt/keyrings/git-core-ppa.gpg ] || { echo "ERROR: GPG keyring is empty"; exit 1; }
      args:
        executable: /bin/bash
        creates: /etc/apt/keyrings/git-core-ppa.gpg

    # Map unsupported Ubuntu releases to nearest supported LTS
    # Launchpad PPAs only publish for LTS releases (jammy, noble)
    - name: Determine git-core PPA codename
      ansible.builtin.set_fact:
        git_ppa_codename: >-
          {{ (ansible_facts['distribution_version'] is version('24.04', '>'))
             | ternary('noble', ansible_facts['distribution_release']) }}

    - name: Add git-core PPA repository
      ansible.builtin.apt_repository:
        repo: "deb [signed-by=/etc/apt/keyrings/git-core-ppa.gpg] http://ppa.launchpadcontent.net/git-core/ppa/ubuntu {{ git_ppa_codename }} main"
        filename: git-core-ppa
        state: present

    - name: Install Git and Git LFS (from PPA)
      ansible.builtin.apt:
        name:
          - git
          - git-lfs
          - git-filter-repo
        state: latest
        update_cache: true

  when: ansible_facts['distribution'] == 'Ubuntu'

# ============================================================================
# macOS - Latest Git from Homebrew
# ============================================================================

- name: Install latest Git (macOS)
  community.general.homebrew:
    name:
      - git
      - git-lfs
      - git-filter-repo
    state: latest
  become: false
  environment: "{{ homebrew_env }}"
  when: ansible_facts['distribution'] == 'MacOSX'

# ============================================================================
# GITHUB CLI (all platforms)
# ============================================================================

- name: Install GitHub CLI (Fedora)
  ansible.builtin.dnf:
    name: gh
    state: present
  when: ansible_facts['distribution'] == 'Fedora'

- name: Install GitHub CLI (Ubuntu)
  ansible.builtin.apt:
    name: gh
    state: present
  when: ansible_facts['distribution'] == 'Ubuntu'

- name: Install GitHub CLI (macOS)
  community.general.homebrew:
    name: gh
    state: present
  become: false
  environment: "{{ homebrew_env }}"
  when: ansible_facts['distribution'] == 'MacOSX'

# ============================================================================
# CONFIGURE GIT LFS (all platforms, user-level)
# ============================================================================

- name: Install Git LFS hooks
  ansible.builtin.command: git lfs install
  become: false
  changed_when: false
  failed_when: false