fix(ibmcloud): address CodeRabbit review findings for GitLab runner support

- Validate mutual exclusion of --glrunner-project-id and --glrunner-group-id
  in params.GitLabRunnerArgs; log error and return nil when both are set
- Remove global state mutation (SetAuthToken/GetRunnerArgs) from ApplyT
  closures in ibm-power and ibm-z; use a local value copy with AuthToken set
- Fix error swallowing in ibm-z buildUserDataInput: change signature to
  (pulumi.StringPtrInput, error) and propagate template errors to callers
- Change start_at from beginning to end for filelog/gitlab-runner receiver
  in both IBM cloud-configs (avoid re-shipping pre-existing log content)
- Add apt-get update before apt-get install in IBM Z cloud-config
- Add logrotate config for /var/log/gitlab-runner/runner.log in both
  IBM cloud-configs (daily, 7 rotations, copytruncate)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adrianriobo

cmd/mapt/cmd/params/params.go

@@ -7,6 +7,7 @@ import (
 	cr "github.com/redhat-developer/mapt/pkg/provider/api/compute-request"
 	spotTypes "github.com/redhat-developer/mapt/pkg/provider/api/spot"
 	"github.com/redhat-developer/mapt/pkg/util"
+	"github.com/redhat-developer/mapt/pkg/util/logging"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 )
@@ -285,21 +286,29 @@ func CirrusPersistentWorkerArgs() *cirrus.PersistentWorkerArgs {
 	return nil
 }
 
-func GitLabRunnerArgs() *gitlab.GitLabRunnerArgs {
+func GitLabRunnerArgs(arch *gitlab.Arch) *gitlab.GitLabRunnerArgs {
 	if viper.IsSet(glRunnerToken) {
+		if viper.IsSet(glRunnerProjectID) && viper.IsSet(glRunnerGroupID) {
+			logging.Error("--glrunner-project-id and --glrunner-group-id are mutually exclusive; ignoring GitLab runner configuration")
+			return nil
+		}
 		return &gitlab.GitLabRunnerArgs{
 			GitLabToken: viper.GetString(glRunnerToken),
-			ProjectID: viper.GetString(glRunnerProjectID),
-			GroupID:   viper.GetString(glRunnerGroupID),
-			URL:       viper.GetString(glRunnerURL),
-			Tags:      viper.GetStringSlice(glRunnerTags),
-			Platform:  &gitlab.Linux,
-			Arch:      linuxArchAsGitLabArch(viper.GetString(LinuxArch)),
+			ProjectID:   viper.GetString(glRunnerProjectID),
+			GroupID:     viper.GetString(glRunnerGroupID),
+			URL:         viper.GetString(glRunnerURL),
+			Tags:        viper.GetStringSlice(glRunnerTags),
+			Platform:    &gitlab.Linux,
+			Arch:        arch,
 		}
 	}
 	return nil
 }
 
+func LinuxGitLabArch() *gitlab.Arch {
+	return linuxArchAsGitLabArch(viper.GetString(LinuxArch))
+}
+
 func linuxArchAsCirrusArch(arch string) *cirrus.Arch {
 	switch arch {
 	case "x86_64":
@@ -340,17 +349,3 @@ func MACArchAsGitLabArch(arch string) *gitlab.Arch {
 	return &gitlab.Arm64
 }
 
-func GitLabRunnerArgsForArch(arch *gitlab.Arch) *gitlab.GitLabRunnerArgs {
-	if viper.IsSet(glRunnerToken) {
-		return &gitlab.GitLabRunnerArgs{
-			GitLabToken: viper.GetString(glRunnerToken),
-			ProjectID:   viper.GetString(glRunnerProjectID),
-			GroupID:     viper.GetString(glRunnerGroupID),
-			URL:         viper.GetString(glRunnerURL),
-			Tags:        viper.GetStringSlice(glRunnerTags),
-			Platform:    &gitlab.Linux,
-			Arch:        arch,
-		}
-	}
-	return nil
-}

pkg/provider/ibmcloud/action/ibm-power/cloud-config

@@ -77,7 +77,7 @@ write_files:
         filelog/gitlab-runner:
           include:
           - /var/log/gitlab-runner/runner.log
-          start_at: beginning
+          start_at: end
           include_file_path: true
           include_file_name: true
           operators:
@@ -152,6 +152,18 @@ write_files:
       [Service]
       StandardOutput=append:/var/log/gitlab-runner/runner.log
       StandardError=append:/var/log/gitlab-runner/runner.log
+  - path: /etc/logrotate.d/gitlab-runner
+    permissions: '0644'
+    content: |
+      /var/log/gitlab-runner/runner.log {
+          daily
+          rotate 7
+          compress
+          delaycompress
+          missingok
+          notifempty
+          copytruncate
+      }
   - path: /opt/install-glrunner.sh
     permissions: '0755'
     content: |

pkg/provider/ibmcloud/action/ibm-power/ibm-power.go

@@ -171,10 +171,10 @@ func (r *pwRequest) deploy(ctx *pulumi.Context) error {
 			return err
 		}
 		gateway := subnetInfo.Gateway
+		localArgs := *glRunnerArgs
 		piUserDataInput = authToken.ApplyT(func(token string) (*string, error) {
-			gitlab.SetAuthToken(token)
-			defer gitlab.SetAuthToken("")
-			glSnippet, err := integrations.GetIntegrationSnippetAsCloudInitWritableFile(gitlab.GetRunnerArgs(), defaultUser)
+			localArgs.AuthToken = token
+			glSnippet, err := integrations.GetIntegrationSnippetAsCloudInitWritableFile(&localArgs, defaultUser)
 			if err != nil {
 				return nil, err
 			}

pkg/provider/ibmcloud/action/ibm-z/cloud-config

@@ -77,7 +77,7 @@ write_files:
         filelog/gitlab-runner:
           include:
           - /var/log/gitlab-runner/runner.log
-          start_at: beginning
+          start_at: end
           include_file_path: true
           include_file_name: true
           operators:
@@ -152,13 +152,26 @@ write_files:
       [Service]
       StandardOutput=append:/var/log/gitlab-runner/runner.log
       StandardError=append:/var/log/gitlab-runner/runner.log
+  - path: /etc/logrotate.d/gitlab-runner
+    permissions: '0644'
+    content: |
+      /var/log/gitlab-runner/runner.log {
+          daily
+          rotate 7
+          compress
+          delaycompress
+          missingok
+          notifempty
+          copytruncate
+      }
   - path: /opt/install-glrunner.sh
     permissions: '0755'
     content: |
 {{.GitLabRunnerScript}}
 {{- end}}
 {{- end}}
 runcmd:
+  - apt-get update -y
   - apt-get install -y git podman
 {{- if or (and .AppCode .OtelAuthToken .OtelIndex) .GitLabRunnerScript}}
 {{- if and .AppCode .OtelAuthToken .OtelIndex}}

pkg/provider/ibmcloud/action/ibm-z/ibm-z.go

@@ -69,16 +69,17 @@ type ZArgs struct {
 }
 
 type zRequest struct {
-	mCtx            *mc.Context
-	prefix          *string
-	zone            *string
-	subnetID        *string
-	otelAppCode     string
-	otelAuthToken   string
-	otelEndpoint    string
-	otelIndex       string
-	otelExtraAttrs  map[string]string
-	glAuthToken     *pulumi.StringOutput
+	mCtx              *mc.Context
+	prefix            *string
+	zone              *string
+	subnetID          *string
+	otelAppCode       string
+	otelAuthToken     string
+	otelEndpoint      string
+	otelIndex         string
+	otelExtraAttrs    map[string]string
+	glAuthToken       *pulumi.StringOutput
+	glRunnerArgsCopy  *gitlab.GitLabRunnerArgs
 }
 
 // New provisions an IBM Z (s390x) VPC instance. When SubnetID is set the
@@ -150,6 +151,8 @@ func (r *zRequest) deploy(ctx *pulumi.Context) error {
 			return err
 		}
 		r.glAuthToken = &authToken
+		argsCopy := *glRunnerArgs
+		r.glRunnerArgsCopy = &argsCopy
 	}
 	if r.subnetID != nil {
 		return r.deployWithExistingSubnet(ctx)
@@ -202,7 +205,11 @@ func (r *zRequest) deploy(ctx *pulumi.Context) error {
 			},
 		},
 	}
-	instanceArgs.UserData = r.buildUserDataInput()
+	userData, err := r.buildUserDataInput()
+	if err != nil {
+		return err
+	}
+	instanceArgs.UserData = userData
 	// https://cloud.ibm.com/docs/vpc?topic=vpc-profiles&interface=ui&q=s390x&tags=vpc
 	i, err := ibmcloud.NewIsInstance(ctx,
 		resourcesUtil.GetResourceName(*r.prefix, stackIBMS390, "is"),
@@ -284,7 +291,11 @@ func (r *zRequest) deployWithExistingSubnet(ctx *pulumi.Context) error {
 			SecurityGroups: pulumi.StringArray{sg.ID()},
 		},
 	}
-	existingSubnetInstanceArgs.UserData = r.buildUserDataInput()
+	existingSubnetUserData, err := r.buildUserDataInput()
+	if err != nil {
+		return err
+	}
+	existingSubnetInstanceArgs.UserData = existingSubnetUserData
 	// https://cloud.ibm.com/docs/vpc?topic=vpc-profiles&interface=ui&q=s390x&tags=vpc
 	i, err := ibmcloud.NewIsInstance(ctx,
 		resourcesUtil.GetResourceName(*r.prefix, stackIBMS390, "is"),
@@ -330,13 +341,13 @@ func (r *zRequest) deployWithExistingSubnet(ctx *pulumi.Context) error {
 // UserData field. If a GitLab runner token output is available it uses ApplyT
 // to embed the runner setup script after the token is resolved; otherwise it
 // renders the cloud-config synchronously.
-func (r *zRequest) buildUserDataInput() pulumi.StringPtrInput {
+func (r *zRequest) buildUserDataInput() (pulumi.StringPtrInput, error) {
 	hasOtel := r.otelAppCode != "" && r.otelAuthToken != ""
 	if r.glAuthToken != nil {
+		localArgs := *r.glRunnerArgsCopy
 		return r.glAuthToken.ApplyT(func(token string) (*string, error) {
-			gitlab.SetAuthToken(token)
-			defer gitlab.SetAuthToken("")
-			glSnippet, err := integrations.GetIntegrationSnippetAsCloudInitWritableFile(gitlab.GetRunnerArgs(), defaultUser)
+			localArgs.AuthToken = token
+			glSnippet, err := integrations.GetIntegrationSnippetAsCloudInitWritableFile(&localArgs, defaultUser)
 			if err != nil {
 				return nil, err
 			}
@@ -350,16 +361,16 @@ func (r *zRequest) buildUserDataInput() pulumi.StringPtrInput {
 				return nil, err
 			}
 			return &ud, nil
-		}).(pulumi.StringPtrOutput)
+		}).(pulumi.StringPtrOutput), nil
 	}
 	if hasOtel {
 		ud, err := izUserData(r.otelAppCode, r.otelAuthToken, r.otelEndpoint, r.otelIndex, "", r.otelExtraAttrs)
 		if err != nil {
-			return nil
+			return nil, fmt.Errorf("failed to render user data: %w", err)
 		}
-		return pulumi.StringPtr(ud)
+		return pulumi.StringPtr(ud), nil
 	}
-	return nil
+	return nil, nil
 }
 
 func izUserData(otelAppCode, otelAuthToken, otelEndpoint, otelIndex, glRunnerScript string, otelExtraAttrs map[string]string) (string, error) {