Test gitlab role on AlmaLinux OS

Normo · Normo · commit 700a3de7d734 · 2025-07-30T10:59:05.000+02:00
Signed-off-by: Norman Ziegner &lt;n.ziegner@hzdr.de&gt;
diff --git a/.github/workflows/gitlab.yml b/.github/workflows/gitlab.yml
@@ -45,6 +45,7 @@ jobs:
       fail-fast: false
       matrix:
         image:
+          - "ghcr.io/hifis-net/almalinux-systemd:9"
           - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
           - "ghcr.io/hifis-net/ubuntu-systemd:24.04"
           - "ghcr.io/hifis-net/debian-systemd:11"
diff --git a/molecule/gitlab/prepare.yml b/molecule/gitlab/prepare.yml
@@ -12,6 +12,23 @@
         - "ansible_facts.os_family == 'RedHat'"
         - "ansible_facts.distribution_major_version | int >= 7"
       block:
+        - name: "Get file stats for /etc/shadow"
+          ansible.builtin.stat:
+            path: "/etc/shadow"
+          register: "shadow"
+
+        - name: "Output file stats for /etc/shadow"
+          ansible.builtin.debug:
+            var: "shadow"
+
+        - name: "Fix permissions for /etc/shadow"
+          ansible.builtin.file:
+            path: "/etc/shadow"
+            owner: "root"
+            group: "{{ shadow.stat.gr_name }}"
+            mode: "0640"
+          when: "not shadow.stat.rusr"
+
         - name: "Install missing dependencies"
           ansible.builtin.dnf:
             name:
diff --git a/roles/gitlab/tasks/install.yml b/roles/gitlab/tasks/install.yml
@@ -10,6 +10,7 @@
   ansible.builtin.package:
     name: "{{ gitlab_dependencies }}"
     state: "present"
+    allowerasing: "{{ true if ansible_facts['os_family'] == 'RedHat' else omit }}"
 
 - name: "Prepare Debian GitLab installation"
   when: "ansible_facts.os_family == 'Debian'"
@@ -71,6 +72,7 @@
         gpgkey:
           - "{{ gitlab_gpg_key_url }}"
           - "{{ gitlab_gpg_key_url }}/gitlab-{{ gitlab_edition }}-3D645A26AB9FBD22.pub.gpg"
+          - "{{ gitlab_gpg_key_url }}/gitlab-{{ gitlab_edition }}-CB947AD886C8E8FD.pub.gpg"
         sslverify: true
         sslcacert: "/etc/pki/tls/certs/ca-bundle.crt"
         metadata_expire: "300"
@@ -87,6 +89,7 @@
         gpgkey:
           - "{{ gitlab_gpg_key_url }}"
           - "{{ gitlab_gpg_key_url }}/gitlab-{{ gitlab_edition }}-3D645A26AB9FBD22.pub.gpg"
+          - "{{ gitlab_gpg_key_url }}/gitlab-{{ gitlab_edition }}-CB947AD886C8E8FD.pub.gpg"
         sslverify: true
         sslcacert: "/etc/pki/tls/certs/ca-bundle.crt"
         metadata_expire: "300"
