GitHub Action for running Ansible Playbooks with comprehensive configuration options for Galaxy, SSH, Vault, and privilege escalation.
- Ansible Playbook Execution: Run Ansible playbooks in GitHub Actions workflows
- Galaxy Integration: Install roles and collections from Ansible Galaxy
- SSH Authentication: Automatic SSH key normalization and authentication
- Vault Support: Secure handling of Ansible Vault passwords
- Flexible Configuration: Comprehensive options for inventory, tags, variables, and more
Specifies the path to the Ansible Galaxy requirements file.
Forces the reinstallation of roles or collections from the Galaxy file.
Sets the API key used for authenticating to Ansible Galaxy.
Defines the URL of the Ansible Galaxy API server to interact with.
Sets the path to the directory where Galaxy collections are stored.
Disables GPG signature verification for Ansible Galaxy operations.
Forces the installation of collections with their dependencies from Galaxy.
Ignores SSL certificate validation for Ansible Galaxy requests.
Lists HTTP status codes to ignore during Galaxy signature validation.
Specifies the path to the GPG keyring used with Ansible Galaxy.
Enables offline mode, preventing any requests to Ansible Galaxy.
Allows the installation of pre-release versions from Ansible Galaxy.
Sets the required number of valid GPG signatures for Galaxy content.
Defines the path to the Ansible Galaxy requirements file.
Specifies a specific GPG signature to verify for Galaxy content.
Sets the timeout in seconds for Ansible Galaxy operations.
Enables automatic upgrading of Galaxy collections to the latest version.
Disables automatic resolution of dependencies in Ansible Galaxy.
Required. Specifies one or more inventory host files for Ansible to use.
Required. List of playbooks to apply.
Further limit selected hosts to an additional pattern.
Only run plays and tasks whose tags do not match these values.
Start the playbook at the task matching this name.
Only run plays and tasks tagged with these values.
Set additional variables in a key=value format for the playbook.
Prepends specified paths to the module library path list.
Executes a dry run, showing what changes would be made without making them.
Shows the differences in files and templates when changing them.
Clears the fact cache for every host in the inventory.
Runs all handlers even if a task fails.
Outputs a list of matching hosts.
List all available tags.
List all tasks that would be executed.
Performs a syntax check on the playbook, without executing it.
Defines the number of parallel processes to use during playbook execution.
Specifies the identity to use when accessing an Ansible Vault.
The vault password to use. This should be stored in a Secret on Github.
Sets the verbosity level, ranging from 0 (minimal output) to 4 (maximum verbosity).
Specifies the SSH private key content for connections. The key will be written to a temporary file by the action. This should be stored in a Secret on Github.
Starting with v1.2.0: The action automatically normalizes SSH keys (converts CRLF to LF, adds trailing newlines, validates format).
Note: For bastion host or ProxyCommand issues on older versions, see the SSH Authentication section for workarounds.
Defines the username for making connections.
Sets the type of connection to use (e.g., SSH).
Overrides the default connection timeout in seconds.
Specifies common arguments to pass to all SSH-based connection methods (SSH, SCP, SFTP).
Provides extra arguments to pass only to SFTP.
Provides extra arguments to pass only to SCP.
Provides extra arguments to pass only to SSH.
Enables privilege escalation, allowing operations to run as another user.
Specifies the method to use for privilege escalation (e.g., sudo).
Sets the user to impersonate when using privilege escalation.
Path to an ansible.cfg configuration file to use (sets ANSIBLE_CONFIG).
Disables colorized output.
Sets the stdout callback plugin for Ansible output (e.g. yaml, json, minimal).
Comma-separated list of enabled callback plugins (e.g. profile_tasks,timer).
Specifies the strategy plugin to use (e.g. linear, free, mitogen_linear).
Limits the scope of gathered facts (e.g. !all,!min,network).
Timeout in seconds for gathering facts (0-3600, 0 = ansible default).
Path to local fact files loaded as host facts.
Caching method to use for facts (e.g. jsonfile, redis, memory).
Timeout in seconds for the fact cache (0 = no expiry).
Interval in seconds for polling async tasks (0-3600, 0 = ansible default).
Maximum percentage of hosts that can fail before the playbook aborts (0-100).
Treats any task error as fatal, aborting the whole play.
Method for file transfer over SSH (e.g. scp or sftp).
Path to a file containing the vault password (alternative to vault_password).
Path to a file containing the SSH private key (alternative to private_key).
Directory for Ansible temporary files.
Beyond the basic inputs, the action exposes Ansible's advanced execution
options. Each input is also readable from an environment variable named
ANSIBLE_<INPUT_NAME_UPPERCASE>, so the two forms below are equivalent — set
them as action inputs via with: or as environment variables via env:.
Heads-up: use the action's
ANSIBLE_<INPUT_NAME>spelling, not Ansible's own native variable name. A few differ:strategy_plugin→ANSIBLE_STRATEGY_PLUGIN(Ansible's native var isANSIBLE_STRATEGY),fact_caching→ANSIBLE_FACT_CACHING(native:ANSIBLE_CACHE_PLUGIN),config_file→ANSIBLE_CONFIG_FILE(native:ANSIBLE_CONFIG).
- name: Deploy with advanced Ansible tuning
uses: arillso/action.playbook@master
with:
playbook: deploy.yml
inventory: ansible_hosts.yml
# Performance: run plays free of the per-host lockstep, cache facts
strategy_plugin: free
fact_caching: jsonfile
fact_caching_timeout: '7200'
# Only gather the facts you need
gather_subset: '!all,!min,network'
gather_timeout: '30'
# Richer output and timing breakdown
output_callback: yaml
callbacks_enabled: profile_tasks,timer
# Fail fast across a fleet
max_fail_percentage: '25'
any_errors_fatal: 'true'
env:
ANSIBLE_HOST_KEY_CHECKING: 'false'Note:
fact_caching: jsonfilealso needs a cache directory. Set it viaenv: { ANSIBLE_CACHE_PLUGIN_CONNECTION: /tmp/ansible_facts }or a customconfig_file. Plugin-specific options that have no dedicated input are always reachable throughenv:or anansible.cfgreferenced byconfig_file.
✨ New in v1.2.0+
SSH private keys are automatically normalized:
- Windows line endings (CRLF) → Unix format (LF)
- Missing trailing newlines are added
- Format validation (RSA, OpenSSH, EC, DSA)
- name: Deploy with Ansible
uses: arillso/action.playbook@1.2.0
with:
playbook: deploy.yml
inventory: ansible_hosts.yml
private_key: ${{ secrets.SSH_PRIVATE_KEY }}
env:
ANSIBLE_HOST_KEY_CHECKING: 'false'🔒 Security Warning: NEVER commit private SSH keys to your repository!
- Go to repository Settings → Secrets and variables → Actions
- Click "New repository secret"
- Name:
SSH_PRIVATE_KEY - Value: Paste your entire private key (including
-----BEGIN/END-----headers) - Click "Add secret"
Your key must have proper PEM headers (-----BEGIN RSA PRIVATE KEY----- or similar). Line endings and trailing newlines are automatically fixed in v1.2.0+.
For versions < 1.2.0 or edge cases, use extra_vars to pass the key file path:
- name: Setup SSH Key
run: |
echo "${{ secrets.SSH_PRIVATE_KEY }}" > /tmp/ssh_key
chmod 600 /tmp/ssh_key
- name: Deploy
uses: arillso/action.playbook@master
with:
playbook: deploy.yml
inventory: ansible_hosts.yml
extra_vars: ansible_ssh_private_key_file=/tmp/ssh_keyFor verbose SSH debugging, set verbose: 4 in the action inputs.
- name: Play Ansible Playbook
uses: arillso/action.playbook@master
with:
playbook: tests/playbook.yml
inventory: tests/hosts.yml
galaxy_file: tests/requirements.yml
env:
ANSIBLE_HOST_KEY_CHECKING: 'false'
ANSIBLE_DEPRECATION_WARNINGS: 'false'This project is under the MIT License. See the LICENSE file for the full license text.
(c) 2020-2026, Arillso