gitlab: Add explicit become directives

Normo · Normo · commit 4d0399c72383 · 2025-11-10T15:47:13.000+01:00
Signed-off-by: Norman Ziegner &lt;n.ziegner@hzdr.de&gt;
diff --git a/roles/gitlab/tasks/configure.yml b/roles/gitlab/tasks/configure.yml
@@ -6,6 +6,7 @@
 ---
 
 - name: "Copy gitlab-secrets.json"
+  become: true
   ansible.builtin.copy:
     src: "{{ gitlab_secrets_file }}"
     dest: "/etc/gitlab/gitlab-secrets.json"
@@ -60,6 +61,7 @@
     - "Reconfigure Non Primary GitLab"
 
 - name: "Create file to prevent Gitlab to restart before migrations"
+  become: true
   ansible.builtin.copy:
     content: ""
     dest: "/etc/gitlab/skip-auto-reconfigure"
@@ -70,6 +72,7 @@
   when: "gitlab_is_primary"
 
 - name: "Create file to prevent Gitlab to backup database"
+  become: true
   ansible.builtin.copy:
     content: ""
     dest: "/etc/gitlab/skip-auto-backup"
diff --git a/roles/gitlab/tasks/feature-flag.yml b/roles/gitlab/tasks/feature-flag.yml
@@ -6,12 +6,14 @@
 ---
 
 - name: "Check if feature flag is already enabled for {{ gitlab_feature_flag.name }}"
+  become: true
   ansible.builtin.command:
     cmd: "gitlab-rails runner 'is_feature_enabled = Feature.enabled?(:{{ gitlab_feature_flag.name }}); puts is_feature_enabled'"
   register: "__gitlab_is_feature_enabled"
   changed_when: false
 
 - name: "Enable or disable feature flag {{ gitlab_feature_flag.name }}"
+  become: true
   ansible.builtin.command:
     cmd: "gitlab-rails runner 'Feature.{{ 'enable' if gitlab_feature_flag.enabled else 'disable' }}(:{{ gitlab_feature_flag.name }})'"
   changed_when: true
diff --git a/roles/gitlab/tasks/install.yml b/roles/gitlab/tasks/install.yml
@@ -16,27 +16,31 @@
   when: "ansible_facts.os_family == 'Debian'"
   block:
     - name: "Remove GitLab APT GPG key from legacy trusted.gpg keyring"
+      become: true
       ansible.builtin.apt_key:
         url: "{{ gitlab_gpg_key_url }}"
         id: "{{ gitlab_gpg_key_id }}"
         state: "absent"
       when: "not __gitlab_is_initial_dryrun"
 
     - name: "Remove GitLab APT repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main"
         state: "absent"
         filename: "gitlab_{{ gitlab_edition }}"
         update_cache: false
 
     - name: "Remove GitLab source APT repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb-src {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main"
         state: "absent"
         filename: "gitlab_{{ gitlab_edition }}"
         update_cache: false
 
     - name: "Add GitLab APT repository"
+      become: true
       ansible.builtin.deb822_repository:
         name: "{{ gitlab_edition }}"
         types:
@@ -52,6 +56,7 @@
         enabled: true
 
     - name: "Update APT package cache"
+      become: true
       ansible.builtin.apt:
         update_cache: true
       check_mode: false
@@ -61,6 +66,7 @@
   when: "ansible_facts.os_family == 'RedHat'"
   block:
     - name: "Add GitLab yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "gitlab_{{ gitlab_edition }}"
         description: "GitLab yum repo"
@@ -78,6 +84,7 @@
         metadata_expire: "300"
 
     - name: "Add GitLab source yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "gitlab_{{ gitlab_edition }}-source"
         description: "GitLab source yum repo"
@@ -95,6 +102,7 @@
         metadata_expire: "300"
 
     - name: "Update yum package cache"
+      become: true
       ansible.builtin.dnf:
         update_cache: true
       check_mode: false
@@ -112,6 +120,7 @@
     - "__gitlab_rails_binary.stat.executable"
   block:
     - name: "Get the currently installed GitLab version"
+      become: true
       ansible.builtin.slurp:
         path: "/var/opt/gitlab/gitlab-rails/VERSION"
       register: "__gitlab_version_base64"
@@ -147,6 +156,7 @@
   rescue:
 
     - name: "Ensure GitLab directory exists"
+      become: true
       ansible.builtin.file:
         path: "/etc/gitlab"
         state: "directory"
@@ -155,6 +165,7 @@
         mode: "0775"
 
     - name: "Create file to detect a failed reconfigure"
+      become: true
       ansible.builtin.copy:
         content: "This file is managed by Ansible."
         dest: "/etc/gitlab/reconfigure_failed"
diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml
@@ -13,16 +13,13 @@
 
 - name: "Reconfigure GitLab"
   ansible.builtin.import_tasks: "reconfigure.yml"
-  become: true
   when: "__gitlab_reconfigure_failed.stat.exists"
 
 - name: "Install GitLab"
   ansible.builtin.import_tasks: "install.yml"
-  become: true
 
 - name: "Configure GitLab"
   ansible.builtin.import_tasks: "configure.yml"
-  become: true
 
 - name: "Check if GitLab is already configured"
   ansible.builtin.stat:
diff --git a/roles/gitlab/tasks/reconfigure.yml b/roles/gitlab/tasks/reconfigure.yml
@@ -30,6 +30,7 @@
     - "gitlab_is_primary"
 
 - name: "Remove file that indicates a failed reconfigure"
+  become: true
   ansible.builtin.file:
     path: "/etc/gitlab/reconfigure_failed"
     state: "absent"
