ci: untrusted run phase, use patch workspace roles

hjensas · hjensas · commit 48be96159c5d · 2026-02-15T02:02:16.000+01:00
Set ansible_roles_path at play level to prepend patch workspace
roles directory. This enables testing role changes in PRs during
deploy and test phases while keeping trusted pre-run phase secure.

Assisted-By: Claude Code/claude-4.5-sonnet
Signed-off-by: Harald Jensås &lt;hjensas@redhat.com&gt;
diff --git a/ci/playbooks/run-deploy.yml b/ci/playbooks/run-deploy.yml
@@ -3,6 +3,13 @@
   hosts: hotstack
   vars:
     hotstack_work_dir: "{{ ansible_user_dir }}/hotstack"
+    # Prepend patch workspace roles to search path to test PR changes.
+    # Parent job's roles: directive loads main branch for security.
+    ansible_roles_path: >-
+      {{ zuul.projects['github.com/openstack-k8s-operators/hotstack'].src_dir }}/roles:{{
+        lookup('env', 'ANSIBLE_ROLES_PATH') |
+        default('/etc/ansible/roles:/usr/share/ansible/roles', true)
+      }}
   tasks:
 
     - name: Fetch bootstrap vars from remote to zuul executor
diff --git a/ci/playbooks/run-tests.yml b/ci/playbooks/run-tests.yml
@@ -3,6 +3,13 @@
   hosts: hotstack
   vars:
     hotstack_work_dir: "{{ ansible_user_dir }}/hotstack"
+    # Prepend patch workspace roles to search path to test PR changes.
+    # Parent job's roles: directive loads main branch for security.
+    ansible_roles_path: >-
+      {{ zuul.projects['github.com/openstack-k8s-operators/hotstack'].src_dir }}/roles:{{
+        lookup('env', 'ANSIBLE_ROLES_PATH') |
+        default('/etc/ansible/roles:/usr/share/ansible/roles', true)
+      }}
   tasks:
 
     - name: Fetch bootstrap vars from remote to zuul executor
