fix: sync-tools playbook uses agent forwarding, not socket hunting

- Add become: false to git tasks so SSH_AUTH_SOCK survives (sudo drops it) - Fetch explicit branch names instead of bare `git fetch origin` - Remove the fragile `Find SSH agent socket` workaround Requires ForwardAgent yes in SSH config (added to ~/.ssh/config). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 06:20:16 +00:00 · 2026-03-09 06:20:16 +00:00 · f842aba56a
parent 601f520a45
commit f842aba56a
1 changed files with 8 additions and 11 deletions
--- a/playbooks/biscayne-sync-tools.yml
+++ b/playbooks/biscayne-sync-tools.yml
@ -30,15 +30,19 @@
    stack_branch: main

  tasks:
+    # Git operations run as the connecting user (no become) so that
+    # SSH agent forwarding works. sudo drops SSH_AUTH_SOCK.
    - name: Update laconic-so (editable install)
+      become: false
      ansible.builtin.shell: |
        cd {{ laconic_so_repo }}
-        git fetch origin
+        git fetch origin {{ laconic_so_branch }}
        git reset --hard origin/{{ laconic_so_branch }}
      register: laconic_so_update
      changed_when: true

    - name: Show laconic-so version
+      become: false
      ansible.builtin.shell:
        cmd: set -o pipefail && cd {{ laconic_so_repo }} && git log --oneline -1
        executable: /bin/bash
@ -49,24 +53,17 @@
      ansible.builtin.debug:
        msg: "laconic-so: {{ laconic_so_version.stdout }}"

-    - name: Find SSH agent socket
-      ansible.builtin.shell:
-        cmd: set -o pipefail && ls -t /tmp/ssh-*/agent.* 2>/dev/null | head -1
-        executable: /bin/bash
-      register: ssh_agent_socket
-      changed_when: false
-      failed_when: ssh_agent_socket.stdout == ""
-
    - name: Pull agave-stack repo
+      become: false
      ansible.builtin.shell: |
-        export SSH_AUTH_SOCK={{ ssh_agent_socket.stdout }}
        cd {{ stack_repo }}
-        git fetch origin
+        git fetch origin {{ stack_branch }}
        git reset --hard origin/{{ stack_branch }}
      register: stack_update
      changed_when: true

    - name: Show agave-stack version
+      become: false
      ansible.builtin.shell:
        cmd: set -o pipefail && cd {{ stack_repo }} && git log --oneline -1
        executable: /bin/bash