updating ansible-lint (#155)

.ansible-lint

@@ -0,0 +1,128 @@
+---
+# .ansible-lint
+
+profile: production # min, basic, moderate,safety, shared, production
+
+# Allows dumping of results in SARIF format
+# sarif_file: result.sarif
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - .github/
+  - changelogs/
+  - docs/
+  - collections/
+# parseable: true
+# quiet: true
+# strict: true
+# verbosity: 1
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
+mock_modules:
+  - community.vmware.vmware_guest_snapshot
+
+# mock_roles:
+#   - mocked_role
+#   - author.role_name # old standalone galaxy role
+#   - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: ^(__|{role}_)
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: ^[a-z_][a-z0-9_]*$
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+#   - ./rule/directory/
+
+# Ansible-lint is able to recognize and load skip rules stored inside
+# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files.
+# To skip a rule just enter filename and tag, like "playbook.yml package-latest"
+# on a new line.
+# Optionally you can add comments after the tag, prefixed by "#". We discourage
+# the use of skip_list below because that will hide violations from the output.
+# When putting ignores inside the ignore file, they are marked as ignored, but
+# still visible, making it easier to address later.
+skip_list:
+  - yaml[colons] # Violations reported by yamllint.
+  - yaml[line-length] # Violations reported by yamllint.
+  - var-naming
+
+# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
+# You must enable opt-in rules by listing each rule 'id' below.
+enable_list:
+  - args
+  - empty-string-compare # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
+  - name[prefix] # opt-in
+  # add yaml here if you want to avoid ignoring yaml checks when yamllint
+  # library is missing. Normally its absence just skips using that rule.
+  - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+#   - jinja[spacing]
+
+# Ansible-lint does not fail on warnings from the rules or tags listed below
+warn_list:
+  - experimental # experimental is included in the implicit list
+  - git-latest # Allow for newest git version
+  - package-latest # Allow newest package version
+  - risky-file-permissions # File permissions unset or incorrect.
+  - template-instead-of-copy # Templated files should use template instead of copy
+  - sanity[cannot-ignore] # cope with shebang test bug
+
+# Some rules can transform files to fix (or make it easier to fix) identified
+# errors. `ansible-lint --fix` will reformat YAML files and run these transforms.
+# By default it will run all transforms (effectively `write_list: ["all"]`).
+# You can disable running transforms by setting `write_list: ["none"]`.
+# Or only enable a subset of rule transforms by listing rules/tags here.
+# write_list:
+#   - all
+
+# Offline mode disables installation of requirements.yml and schema refreshing
+offline: false
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+#   foo: bar
+#   multiline_string_variable: |
+#     line1
+#     line2
+#   complex_variable: ":{;\t$()"
+
+# Uncomment to enforce action validation with tasks, usually is not
+# needed as Ansible syntax check also covers it.
+# skip_action_validation: false
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+  # - playbook: "**/examples/*.{yml,yaml}"
+  # - galaxy: "**/folder/galaxy.yml"
+  # - tasks: "**/tasks/*.yml"
+  # - vars: "**/vars/*.yml"
+  # - meta: "**/meta/main.yml"
+  - yaml: "**/*.yaml-too"
+
+# List of additional collections to allow in only-builtins rule.
+# only_builtins_allow_collections:
+#   - example_ns.example_collection
+
+# List of additions modules to allow in only-builtins rule.
+# only_builtins_allow_modules:
+#   - example_module
+
+# Allow setting custom prefix for name[prefix] rule
+task_name_prefix: "{stem} | "
+# Complexity related settings
+
+# Limit the depth of the nested blocks:
+# max_block_depth: 20
+...

.github/workflows/pre-commit.yml → .github/workflows/ansible-lint.yml

@@ -1,18 +1,12 @@
 ---
 name: Yaml and Ansible Lint
-
 on: [push, pull_request, workflow_call]  # yamllint disable-line rule:truthy
-
 jobs:
-  pre-commit:
+  build:
+    name: Ansible Lint # Naming the build is important to use it as a status check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-      - name: Install Ansible
-        run: pip install --upgrade ansible-core
+      - uses: actions/checkout@v4
 
       - name: Build collection
         run: ansible-galaxy collection build -vvv
@@ -24,7 +18,7 @@ jobs:
         id: vers
 
       - name: Install collection
-        run: ansible-galaxy collection install ./infra-leapp-${{ steps.vers.outputs.NUM }}.tar.gz -p /home/runner/collections
+        run: ansible-galaxy collection install ./infra-leapp-${{ steps.vers.outputs.NUM }}.tar.gz # -p /home/runner/collections
         shell: bash
         working-directory: ${{ vars.GITHUB_PATH }}
 
@@ -34,5 +28,7 @@ jobs:
 
       - name: Install collection dependencies
         run: ansible-galaxy collection install -r ${{ github.run_id }}.yml
-      - uses: pre-commit/action@v3.0.0
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main # or version tag instead of 'main'
 ...

.yamllint.yml → .yamllint

@@ -28,6 +28,6 @@ rules:
     level: error
     # Allow only YAML 1.2 booleans https://redhat-cop.github.io/automation-good-practices/#_yaml_and_jinja2_syntax
     allowed-values:
-      - 'true'
-      - 'false'
+      - "true"
+      - "false"
 ...

galaxy.yml

@@ -27,7 +27,7 @@ build_ignore:
   - .gitignore
   - changelogs/.plugin-cache.yaml
 dependencies:
-  "ansible.posix": ">=1.5.1"
-  "fedora.linux_system_roles": '>=1.21.0'
-  "community.general": '>=6.6.0'
+  ansible.posix: ">=1.5.1"
+  fedora.linux_system_roles: ">=1.21.0"
+  community.general: ">=6.6.0"
 ...

meta/runtime.yml

@@ -1,3 +1,3 @@
 ---
-requires_ansible: '>=2.14.0'  # Use '>= 2.9.10' instead, if needed
+requires_ansible: ">=2.14.0" # Use '>= 2.9.10' instead, if needed
 ...

playbooks/analysis.yml

@@ -7,14 +7,14 @@
   force_handlers: true
 
   vars:
-    satellite_organization: 'My Satellite Organization'
-    satellite_activation_key_pre_leapp: 'MY_ACTIVATION_KEY_PRE'
-    satellite_activation_key_leapp: 'MY_ACTIVATION_KEY'
+    satellite_organization: My Satellite Organization
+    satellite_activation_key_pre_leapp: MY_ACTIVATION_KEY_PRE
+    satellite_activation_key_leapp: MY_ACTIVATION_KEY
     # By default the analysis role will use:
     # analysis_repos_el7: rhel-7-server-extras-rpms
     # Optionally override the default analysis_repos_el7 to use the upstream copr leapp repository:
     # analysis_repos_el7: copr:copr.fedorainfracloud.org:group_oamg:leapp
-    leapp_preupg_opts: '--target 8.8'
+    leapp_preupg_opts: --target 8.8
     leapp_answerfile: |
       [remove_pam_pkcs11_module_check]
       confirm = True

playbooks/upgrade.yml

@@ -5,10 +5,10 @@
   become: true
   force_handlers: true
   vars:
-    satellite_organization: 'My Satellite Organization'
-    satellite_activation_key_leapp: 'MY_ACTIVATION_KEY'
-    satellite_activation_key_post_leapp: 'MY_ACTIVATION_KEY_POST'
-    leapp_upgrade_opts: '--target 8.8'
+    satellite_organization: My Satellite Organization
+    satellite_activation_key_leapp: MY_ACTIVATION_KEY
+    satellite_activation_key_post_leapp: MY_ACTIVATION_KEY_POST
+    leapp_upgrade_opts: --target 8.8
     update_grub_to_grub_2: true
     selinux_mode: permissive
   tasks:

roles/analysis/handlers/main.yml

@@ -16,6 +16,7 @@
     --activationkey="{{ satellite_activation_key_pre_leapp }}"
     --force
   register: sub_man_reg
+  changed_when: true
   failed_when: false
 
 - name: Remove lynx package

roles/analysis/meta/main.yml

@@ -52,6 +52,4 @@ galaxy_info:
   #       Maximum 20 tags per role.
 
 dependencies: []
-# List your role dependencies here, one per line. Be sure to remove the '[]' above,
-# if you add dependencies to this list.
 ...

roles/analysis/tasks/analysis-leapp.yml

@@ -1,5 +1,5 @@
 ---
-- name: Register to leapp activation key
+- name: analysis-leapp | Register to leapp activation key
   community.general.redhat_subscription:
     state: present
     activationkey: "{{ satellite_activation_key_leapp }}"
@@ -11,56 +11,56 @@
     - satellite_organization is defined
     - satellite_activation_key_leapp is defined
 
-- name: Install packages for preupgrade analysis on RHEL 7
+- name: analysis-leapp | Install packages for preupgrade analysis on RHEL 7
   ansible.builtin.package:
     name: "{{ analysis_packages_el7 }}"
     enablerepo: "{{ analysis_repos_el7 }}"
-    state: latest
+    state: latest # noqa package-latest
   when: ansible_distribution_major_version|int == 7
 
-- name: Install packages for preupgrade analysis on RHEL 8
+- name: analysis-leapp | Install packages for preupgrade analysis on RHEL 8
   ansible.builtin.package:
     name: "{{ analysis_packages_el8 }}"
-    state: latest
+    state: latest # noqa package-latest
   when: ansible_distribution_major_version|int == 8
 
-- name: Ensure leapp log directory exists
+- name: analysis-leapp | Ensure leapp log directory exists
   ansible.builtin.file:
     path: /var/log/leapp
     state: directory
     owner: root
     group: root
-    mode: '0755'
+    mode: "0755"
 
-- name: Populate leapp_answers file
+- name: analysis-leapp | Populate leapp_answers file
   ansible.builtin.copy:
     content: "{{ leapp_answerfile }}"
     dest: /var/log/leapp/answerfile
     owner: root
     group: root
-    mode: '0644'
+    mode: "0644"
   when: leapp_answerfile is defined
 
-- name: Leapp preupgrade report
+- name: analysis-leapp | Leapp preupgrade report
   ansible.builtin.shell: >
-    export PATH={{ os_path }}
     set -o pipefail;
+    export PATH={{ os_path }};
     leapp preupgrade
     {{ leapp_preupg_opts }}
     {{ leapp_enable_repos_args }}
     2>&1 | tee -a {{ log_file }}
+  changed_when: true
   register: leapp
   args:
     executable: /bin/bash
   async: "{{ async_timeout_maximum | int }}"
   poll: "{{ async_poll_interval | int }}"
   failed_when: "'report has been generated' not in leapp.stdout"
 
-- name: Include check-results-file.yml
+- name: analysis-leapp | Include check-results-file.yml
   ansible.builtin.include_tasks: check-results-file.yml
 
-- name: Include the parse_leapp_report role to check for inhibitors
+- name: analysis-leapp | Include the parse_leapp_report role to check for inhibitors
   ansible.builtin.include_role:
     name: infra.leapp.parse_leapp_report
-
 ...