feat(ibmcloud): add GitLab runner support for IBM Power (ppc64le) and IBM Z (s390x)

Extends the GitLab runner integration to cover IBM Cloud offerings:

- Add ppc64le and s390x arch types to the gitlab integration package
- Make restorecon conditional in snippet-linux.sh for cross-distro compatibility (Ubuntu on IBM Z has no SELinux)
- Add IBMPowerGitLabRunnerArgs() and IBMZGitLabRunnerArgs() to params, hardcoding the correct arch per target
- Wire --glrunner-* flags and GLRunnerArgs into the ibm-power and ibm-z create commands
- Update IBM Power and IBM Z actions to call gitlab.CreateRunner() and inject the runner setup script into cloud-init via ApplyT
- Install git and podman on both targets (matching the fedora pattern)
- Redirect gitlab-runner stdout/stderr to /var/log/gitlab-runner/runner.log via a systemd drop-in so job execution logs are captured locally and shipped via otelcol independently of GitLab connectivity
- Add filelog/gitlab-runner otelcol receiver (when both --glrunner-token and --otel-* flags are set) to include runner job logs in the audit trail
- Add unit tests for cloud-config template rendering covering runner-only, otel-only, and combined scenarios

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adrianriobo

cmd/mapt/cmd/ibmcloud/hosts/ibm-power.go

@@ -52,6 +52,7 @@ func ibmPowerCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
+					GLRunnerArgs:  params.IBMPowerGitLabRunnerArgs(),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&ibmpower.PWArgs{
@@ -79,6 +80,7 @@ func ibmPowerCreate() *cobra.Command {
 	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
+	params.AddGitLabRunnerFlags(flagSet)
 	c.PersistentFlags().AddFlagSet(flagSet)
 	_ = c.MarkPersistentFlagRequired(params.PIPrivateSubnetID)
 	_ = c.MarkPersistentFlagRequired(params.WorkspaceID)

cmd/mapt/cmd/ibmcloud/hosts/ibm-z.go

@@ -52,6 +52,7 @@ func ibmZCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
+					GLRunnerArgs:  params.IBMZGitLabRunnerArgs(),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&ibmz.ZArgs{
@@ -75,6 +76,7 @@ func ibmZCreate() *cobra.Command {
 	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
+	params.AddGitLabRunnerFlags(flagSet)
 	c.PersistentFlags().AddFlagSet(flagSet)
 	return c
 }

cmd/mapt/cmd/params/params.go

@@ -82,7 +82,7 @@ const (
 	cirrusPWLabelsDesc string = "additional labels to use on the persistent worker (--it-cirrus-pw-labels key1=value1,key2=value2)"
 
 	glRunnerToken         string = "glrunner-token"
-	glRunnerTokenDesc     string = "GitLab Personal Access Token with api scope"
+	glRunnerTokenDesc     string = "GitLab token with create_runner scope (personal access token, group/project access token, or service account token)"
 	glRunnerProjectID     string = "glrunner-project-id"
 	glRunnerProjectIDDesc string = "GitLab project ID for project runner registration"
 	glRunnerGroupID       string = "glrunner-group-id"
@@ -271,6 +271,7 @@ func AddGitLabRunnerFlags(fs *pflag.FlagSet) {
 	fs.StringSlice(glRunnerTags, nil, glRunnerTagsDesc)
 }
 
+
 func CirrusPersistentWorkerArgs() *cirrus.PersistentWorkerArgs {
 	if viper.IsSet(cirrusPWToken) {
 		return &cirrus.PersistentWorkerArgs{
@@ -287,7 +288,7 @@ func CirrusPersistentWorkerArgs() *cirrus.PersistentWorkerArgs {
 func GitLabRunnerArgs() *gitlab.GitLabRunnerArgs {
 	if viper.IsSet(glRunnerToken) {
 		return &gitlab.GitLabRunnerArgs{
-			GitLabPAT: viper.GetString(glRunnerToken),
+			GitLabToken: viper.GetString(glRunnerToken),
 			ProjectID: viper.GetString(glRunnerProjectID),
 			GroupID:   viper.GetString(glRunnerGroupID),
 			URL:       viper.GetString(glRunnerURL),
@@ -338,3 +339,33 @@ func MACArchAsGitLabArch(arch string) *gitlab.Arch {
 	}
 	return &gitlab.Arm64
 }
+
+func IBMPowerGitLabRunnerArgs() *gitlab.GitLabRunnerArgs {
+	if viper.IsSet(glRunnerToken) {
+		return &gitlab.GitLabRunnerArgs{
+			GitLabToken: viper.GetString(glRunnerToken),
+			ProjectID: viper.GetString(glRunnerProjectID),
+			GroupID:   viper.GetString(glRunnerGroupID),
+			URL:       viper.GetString(glRunnerURL),
+			Tags:      viper.GetStringSlice(glRunnerTags),
+			Platform:  &gitlab.Linux,
+			Arch:      &gitlab.Ppc64le,
+		}
+	}
+	return nil
+}
+
+func IBMZGitLabRunnerArgs() *gitlab.GitLabRunnerArgs {
+	if viper.IsSet(glRunnerToken) {
+		return &gitlab.GitLabRunnerArgs{
+			GitLabToken: viper.GetString(glRunnerToken),
+			ProjectID: viper.GetString(glRunnerProjectID),
+			GroupID:   viper.GetString(glRunnerGroupID),
+			URL:       viper.GetString(glRunnerURL),
+			Tags:      viper.GetStringSlice(glRunnerTags),
+			Platform:  &gitlab.Linux,
+			Arch:      &gitlab.S390x,
+		}
+	}
+	return nil
+}

pkg/integrations/gitlab/glrunner.go

@@ -147,7 +147,7 @@ func CreateRunner(ctx *pulumi.Context, args *GitLabRunnerArgs) (pulumi.StringOut
 
 	// Configure GitLab provider with PAT
 	provider, err := gitlab.NewProvider(ctx, "gitlab-provider", &gitlab.ProviderArgs{
-		Token:   pulumi.String(args.GitLabPAT),
+		Token:   pulumi.String(args.GitLabToken),
 		BaseUrl: pulumi.String(args.URL),
 	})
 	if err != nil {

pkg/integrations/gitlab/snippet-linux.sh

@@ -8,8 +8,8 @@ chmod +x /tmp/gitlab-runner
 # Move to trusted path
 sudo mv /tmp/gitlab-runner /usr/bin/gitlab-runner
 
-# Fix SELinux context
-sudo restorecon -v /usr/bin/gitlab-runner
+# Fix SELinux context (no-op on non-SELinux systems)
+sudo restorecon -v /usr/bin/gitlab-runner 2>/dev/null || true
 
 # Register runner
 sudo gitlab-runner register \

pkg/integrations/gitlab/types.go

@@ -8,13 +8,15 @@ var (
 	Linux   Platform = "linux"
 	Darwin  Platform = "darwin"
 
-	Arm64 Arch = "arm64"
-	Amd64 Arch = "amd64"
-	Arm   Arch = "arm"
+	Arm64   Arch = "arm64"
+	Amd64   Arch = "amd64"
+	Arm     Arch = "arm"
+	Ppc64le Arch = "ppc64le"
+	S390x   Arch = "s390x"
 )
 
 type GitLabRunnerArgs struct {
-	GitLabPAT string   // Personal Access Token for Pulumi GitLab provider (input)
+	GitLabToken string   // Token with create_runner scope (PAT, group/project access token, or service account token)
 	ProjectID string   // GitLab project ID for project runner registration (mutually exclusive with GroupID)
 	GroupID   string   // GitLab group ID for group runner registration (mutually exclusive with ProjectID)
 	URL       string   // GitLab instance URL (e.g., https://gitlab.com)

pkg/provider/ibmcloud/action/ibm-power/cloud-config

@@ -1,6 +1,7 @@
 #cloud-config
-{{- if and .AppCode .OtelAuthToken .OtelIndex}}
+{{- if or (and .AppCode .OtelAuthToken .OtelIndex) .GitLabRunnerScript}}
 write_files:
+{{- if and .AppCode .OtelAuthToken .OtelIndex}}
   - path: /etc/otelcol-contrib/config.yaml
     permissions: '0640'
     content: |
@@ -72,6 +73,26 @@ write_files:
             index: "{{.OtelIndex}}"
             _sourceCategory: audit
             _sourceHost: ${env:HOSTNAME}
+{{- if .GitLabRunnerScript}}
+        filelog/gitlab-runner:
+          include:
+          - /var/log/gitlab-runner/runner.log
+          start_at: beginning
+          include_file_path: true
+          include_file_name: true
+          operators:
+          - type: move
+            id: move_to_source_name
+            from: attributes["log.file.path"]
+            to: attributes["_sourceName"]
+          - type: remove
+            id: remove_file_name
+            field: attributes["log.file.name"]
+          attributes:
+            index: "{{.OtelIndex}}"
+            _sourceCategory: gitlab-runner
+            _sourceHost: ${env:HOSTNAME}
+{{- end}}
       processors:
         filter/drop_null_bytes:
           logs:
@@ -109,7 +130,7 @@ write_files:
             level: "basic"
         pipelines:
           logs:
-            receivers: [filelog/syslog, filelog/secure, filelog/audit]
+            receivers: [filelog/syslog, filelog/secure, filelog/audit{{if .GitLabRunnerScript}}, filelog/gitlab-runner{{end}}]
             processors: [filter/drop_null_bytes, resource, batch]
             exporters: [otlphttp]
   - path: /etc/otelcol-contrib/auth_token
@@ -124,7 +145,21 @@ write_files:
       Environment="HOSTNAME=%H"
       EnvironmentFile=/etc/otelcol-contrib/auth_token
 {{- end}}
+{{- if .GitLabRunnerScript}}
+  - path: /etc/systemd/system/gitlab-runner.service.d/logging.conf
+    permissions: '0644'
+    content: |
+      [Service]
+      StandardOutput=append:/var/log/gitlab-runner/runner.log
+      StandardError=append:/var/log/gitlab-runner/runner.log
+  - path: /opt/install-glrunner.sh
+    permissions: '0755'
+    content: |
+{{.GitLabRunnerScript}}
+{{- end}}
+{{- end}}
 runcmd:
+  - dnf install -y git podman
   - |
     IFACE=$(ip route show default | awk '/default/ {print $5; exit}')
     ip route add 10.0.0.0/8 via {{.Gateway}} dev "$IFACE" 2>/dev/null || true
@@ -147,3 +182,7 @@ runcmd:
     systemctl daemon-reload
     systemctl enable --now otelcol-contrib
 {{- end}}
+{{- if .GitLabRunnerScript}}
+  - mkdir -p /var/log/gitlab-runner
+  - bash /opt/install-glrunner.sh
+{{- end}}

pkg/provider/ibmcloud/action/ibm-power/ibm-power.go

@@ -9,6 +9,8 @@ import (
 	"github.com/pulumi/pulumi-tls/sdk/v5/go/tls"
 	"github.com/pulumi/pulumi/sdk/v3/go/auto"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/redhat-developer/mapt/pkg/integrations"
+	"github.com/redhat-developer/mapt/pkg/integrations/gitlab"
 	"github.com/redhat-developer/mapt/pkg/manager"
 	mc "github.com/redhat-developer/mapt/pkg/manager/context"
 	ibmcloudp "github.com/redhat-developer/mapt/pkg/provider/ibmcloud"
@@ -28,14 +30,15 @@ var CloudConfig []byte
 var otelColVersion = "0.151.0"
 
 type userDataValues struct {
-	Gateway        string
-	AppCode        string
-	OtelAuthToken  string
-	OtelEndpoint   string
-	OtelColVersion string
-	OtelIndex      string
-	OtelArch       string
-	OtelExtraAttrs map[string]string
+	Gateway            string
+	AppCode            string
+	OtelAuthToken      string
+	OtelEndpoint       string
+	OtelColVersion     string
+	OtelIndex          string
+	OtelArch           string
+	OtelExtraAttrs     map[string]string
+	GitLabRunnerScript string
 }
 
 const (
@@ -160,9 +163,33 @@ func (r *pwRequest) deploy(ctx *pulumi.Context) error {
 		return fmt.Errorf("failed to look up private subnet: %w", err)
 	}
 
-	userData, err := piUserData(subnetInfo.Gateway, r.otelAppCode, r.otelAuthToken, r.otelEndpoint, r.otelIndex, r.otelExtraAttrs)
-	if err != nil {
-		return fmt.Errorf("failed to render user data: %w", err)
+	var piUserDataInput pulumi.StringPtrInput
+	glRunnerArgs := gitlab.GetRunnerArgs()
+	if glRunnerArgs != nil {
+		authToken, err := gitlab.CreateRunner(ctx, glRunnerArgs)
+		if err != nil {
+			return err
+		}
+		gateway := subnetInfo.Gateway
+		piUserDataInput = authToken.ApplyT(func(token string) (*string, error) {
+			gitlab.SetAuthToken(token)
+			defer gitlab.SetAuthToken("")
+			glSnippet, err := integrations.GetIntegrationSnippetAsCloudInitWritableFile(gitlab.GetRunnerArgs(), defaultUser)
+			if err != nil {
+				return nil, err
+			}
+			ud, err := piUserData(gateway, r.otelAppCode, r.otelAuthToken, r.otelEndpoint, r.otelIndex, *glSnippet, r.otelExtraAttrs)
+			if err != nil {
+				return nil, err
+			}
+			return &ud, nil
+		}).(pulumi.StringPtrOutput)
+	} else {
+		ud, err := piUserData(subnetInfo.Gateway, r.otelAppCode, r.otelAuthToken, r.otelEndpoint, r.otelIndex, "", r.otelExtraAttrs)
+		if err != nil {
+			return fmt.Errorf("failed to render user data: %w", err)
+		}
+		piUserDataInput = pulumi.StringPtr(ud)
 	}
 
 	imageId, err := icdata.GetImage(r.mCtx,
@@ -187,7 +214,7 @@ func (r *pwRequest) deploy(ctx *pulumi.Context) error {
 			PiCloudInstanceId: pulumi.String(r.workspaceID),
 			PiStorageType:     pulumi.String(instanceStorageType),
 			PiKeyPairName:     pki.PiKeyName,
-			PiUserData:        pulumi.StringPtr(userData),
+			PiUserData:        piUserDataInput,
 			PiNetworks: ibmcloud.PiInstancePiNetworkArray{
 				&ibmcloud.PiInstancePiNetworkArgs{
 					NetworkId: pulumi.String(r.piPrivateSubnetID),
@@ -352,17 +379,18 @@ func piKey(ctx *pulumi.Context, mCtx *mc.Context, prefix, cId string, cloudInsta
 
 // piUserData renders the cloud-config template and returns it base64-encoded
 // for use as PiUserData on a PowerVS instance.
-func piUserData(gateway, otelAppCode, otelAuthToken, otelEndpoint, otelIndex string, otelExtraAttrs map[string]string) (string, error) {
+func piUserData(gateway, otelAppCode, otelAuthToken, otelEndpoint, otelIndex, glRunnerScript string, otelExtraAttrs map[string]string) (string, error) {
 	script, err := file.Template(
 		userDataValues{
-			Gateway:        gateway,
-			AppCode:        otelAppCode,
-			OtelAuthToken:  otelAuthToken,
-			OtelEndpoint:   otelEndpoint,
-			OtelColVersion: otelColVersion,
-			OtelIndex:      otelIndex,
-			OtelArch:       "ppc64le",
-			OtelExtraAttrs: otelExtraAttrs,
+			Gateway:            gateway,
+			AppCode:            otelAppCode,
+			OtelAuthToken:      otelAuthToken,
+			OtelEndpoint:       otelEndpoint,
+			OtelColVersion:     otelColVersion,
+			OtelIndex:          otelIndex,
+			OtelArch:           "ppc64le",
+			OtelExtraAttrs:     otelExtraAttrs,
+			GitLabRunnerScript: glRunnerScript,
 		},
 		string(CloudConfig))
 	if err != nil {