updating ansible-lint

.ansible-lint

@@ -0,0 +1,130 @@
+---
+# .ansible-lint
+
+profile: production # min, basic, moderate,safety, shared, production
+
+# Allows dumping of results in SARIF format
+# sarif_file: result.sarif
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
+exclude_paths:
+  - '.github/'
+  - 'changelogs/'
+  - 'docs/'
+  - 'collections/'
+# parseable: true
+# quiet: true
+# strict: true
+# verbosity: 1
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
+mock_modules:
+  - community.vmware.vmware_guest_snapshot
+
+# mock_roles:
+#   - mocked_role
+#   - author.role_name # old standalone galaxy role
+#   - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: "^(__|{role}_)"
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: "^[a-z_][a-z0-9_]*$"
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+#   - ./rule/directory/
+
+# Ansible-lint is able to recognize and load skip rules stored inside
+# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files.
+# To skip a rule just enter filename and tag, like "playbook.yml package-latest"
+# on a new line.
+# Optionally you can add comments after the tag, prefixed by "#". We discourage
+# the use of skip_list below because that will hide violations from the output.
+# When putting ignores inside the ignore file, they are marked as ignored, but
+# still visible, making it easier to address later.
+skip_list:
+  - yaml[colons] # Violations reported by yamllint.
+  - yaml[line-length]  # Violations reported by yamllint.
+  - var-naming
+
+# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
+# You must enable opt-in rules by listing each rule 'id' below.
+enable_list:
+  - args
+  - empty-string-compare # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
+  - name[prefix] # opt-in
+  # add yaml here if you want to avoid ignoring yaml checks when yamllint
+  # library is missing. Normally its absence just skips using that rule.
+  - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+#   - jinja[spacing]
+
+# Ansible-lint does not fail on warnings from the rules or tags listed below
+warn_list:
+  - experimental # experimental is included in the implicit list
+  - git-latest # Allow for newest git version
+  - package-latest # Allow newest package version
+  - risky-file-permissions  # File permissions unset or incorrect.
+  - template-instead-of-copy  # Templated files should use template instead of copy
+  - sanity[cannot-ignore] # cope with shebang test bug
+  # - role-name
+  # - yaml[document-start]  # you can also use sub-rule matches
+
+# Some rules can transform files to fix (or make it easier to fix) identified
+# errors. `ansible-lint --fix` will reformat YAML files and run these transforms.
+# By default it will run all transforms (effectively `write_list: ["all"]`).
+# You can disable running transforms by setting `write_list: ["none"]`.
+# Or only enable a subset of rule transforms by listing rules/tags here.
+# write_list:
+#   - all
+
+# Offline mode disables installation of requirements.yml and schema refreshing
+offline: false
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+#   foo: bar
+#   multiline_string_variable: |
+#     line1
+#     line2
+#   complex_variable: ":{;\t$()"
+
+# Uncomment to enforce action validation with tasks, usually is not
+# needed as Ansible syntax check also covers it.
+# skip_action_validation: false
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+  # - playbook: "**/examples/*.{yml,yaml}"
+  # - galaxy: "**/folder/galaxy.yml"
+  # - tasks: "**/tasks/*.yml"
+  # - vars: "**/vars/*.yml"
+  # - meta: "**/meta/main.yml"
+  - yaml: "**/*.yaml-too"
+
+# List of additional collections to allow in only-builtins rule.
+# only_builtins_allow_collections:
+#   - example_ns.example_collection
+
+# List of additions modules to allow in only-builtins rule.
+# only_builtins_allow_modules:
+#   - example_module
+
+# Allow setting custom prefix for name[prefix] rule
+task_name_prefix: "{stem} | "
+# Complexity related settings
+
+# Limit the depth of the nested blocks:
+# max_block_depth: 20
+...

.github/workflows/pre-commit.yml → .github/workflows/ansible-lint.yml

@@ -1,18 +1,12 @@
 ---
 name: Yaml and Ansible Lint
-
 on: [push, pull_request, workflow_call]  # yamllint disable-line rule:truthy
-
 jobs:
-  pre-commit:
+  build:
+    name: Ansible Lint # Naming the build is important to use it as a status check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.x'
-      - name: Install Ansible
-        run: pip install --upgrade ansible-core
+      - uses: actions/checkout@v4
 
       - name: Build collection
         run: ansible-galaxy collection build -vvv
@@ -24,7 +18,7 @@ jobs:
         id: vers
 
       - name: Install collection
-        run: ansible-galaxy collection install ./infra-leapp-${{ steps.vers.outputs.NUM }}.tar.gz -p /home/runner/collections
+        run: ansible-galaxy collection install ./infra-leapp-${{ steps.vers.outputs.NUM }}.tar.gz # -p /home/runner/collections
         shell: bash
         working-directory: ${{ vars.GITHUB_PATH }}
 
@@ -34,5 +28,7 @@ jobs:
 
       - name: Install collection dependencies
         run: ansible-galaxy collection install -r ${{ github.run_id }}.yml
-      - uses: pre-commit/action@v3.0.0
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main # or version tag instead of 'main'
 ...

roles/analysis/handlers/main.yml

@@ -16,6 +16,7 @@
     --activationkey="{{ satellite_activation_key_pre_leapp }}"
     --force
   register: sub_man_reg
+  changed_when: true
   failed_when: false
 
 - name: Remove lynx package

roles/analysis/tasks/analysis-leapp.yml

@@ -1,5 +1,5 @@
 ---
-- name: Register to leapp activation key
+- name: analysis-leapp | Register to leapp activation key
   community.general.redhat_subscription:
     state: present
     activationkey: "{{ satellite_activation_key_leapp }}"
@@ -11,28 +11,28 @@
     - satellite_organization is defined
     - satellite_activation_key_leapp is defined
 
-- name: Install packages for preupgrade analysis on RHEL 7
+- name: analysis-leapp | Install packages for preupgrade analysis on RHEL 7
   ansible.builtin.package:
     name: "{{ analysis_packages_el7 }}"
     enablerepo: "{{ analysis_repos_el7 }}"
     state: latest
   when: ansible_distribution_major_version|int == 7
 
-- name: Install packages for preupgrade analysis on RHEL 8
+- name: analysis-leapp | Install packages for preupgrade analysis on RHEL 8
   ansible.builtin.package:
     name: "{{ analysis_packages_el8 }}"
     state: latest
   when: ansible_distribution_major_version|int == 8
 
-- name: Ensure leapp log directory exists
+- name: analysis-leapp | Ensure leapp log directory exists
   ansible.builtin.file:
     path: /var/log/leapp
     state: directory
     owner: root
     group: root
     mode: '0755'
 
-- name: Populate leapp_answers file
+- name: analysis-leapp | Populate leapp_answers file
   ansible.builtin.copy:
     content: "{{ leapp_answerfile }}"
     dest: /var/log/leapp/answerfile
@@ -41,25 +41,26 @@
     mode: '0644'
   when: leapp_answerfile is defined
 
-- name: Leapp preupgrade report
+- name: analysis-leapp | Leapp preupgrade report
   ansible.builtin.shell: >
-    export PATH={{ os_path }}
     set -o pipefail;
+    export PATH={{ os_path }};
     leapp preupgrade
     {{ leapp_preupg_opts }}
     {{ leapp_enable_repos_args }}
     2>&1 | tee -a {{ log_file }}
+  changed_when: true
   register: leapp
   args:
     executable: /bin/bash
   async: "{{ async_timeout_maximum | int }}"
   poll: "{{ async_poll_interval | int }}"
   failed_when: "'report has been generated' not in leapp.stdout"
 
-- name: Include check-results-file.yml
+- name: analysis-leapp | Include check-results-file.yml
   ansible.builtin.include_tasks: check-results-file.yml
 
-- name: Include the parse_leapp_report role to check for inhibitors
+- name: analysis-leapp | Include the parse_leapp_report role to check for inhibitors
   ansible.builtin.include_role:
     name: infra.leapp.parse_leapp_report
 

roles/analysis/tasks/analysis-preupg.yml

@@ -1,6 +1,6 @@
 ---
 # TODO: Having issues with community.general.redhat_subscription and subscription-manager on RHEL 6.
-- name: Register to upgrade activation key
+- name: analysis-preupg | Register to upgrade activation key
   ansible.builtin.shell: >
     export PATH={{ os_path }};
     subscription-manager register
@@ -14,44 +14,46 @@
   notify: Register to pre leapp activation key RHEL 6
   register: sub_man_reg
   failed_when: false
+  changed_when: true
 
-- name: Enable requisite RHUI repos
+- name: analysis-preupg | Enable requisite RHUI repos
   ansible.builtin.shell: |
-    export PATH={{ os_path }}
-    set -o pipefail
+    set -o pipefail;
+    export PATH={{ os_path }};
     yum-config-manager --enable {{ item }}
   loop: "{{ analysis_repos_el6 }}"
   when: leapp_upgrade_type == 'rhui'
   failed_when: false
+  changed_when: true
 
-- name: Preupgrade Assistant and Red Hat Upgrade Tool packages are latest
+- name: analysis-preupg | Preupgrade Assistant and Red Hat Upgrade Tool packages are latest
   ansible.builtin.package:
     name: "{{ analysis_packages_el6 }}"
     enablerepo: "{{ analysis_repos_el6 }}"
     state: latest
   when: leapp_upgrade_type != 'rhui'
 
-- name: Preupgrade Assistant and Red Hat Upgrade Tool packages are latest - RHUI
+- name: analysis-preupg | Preupgrade Assistant and Red Hat Upgrade Tool packages are latest - RHUI
   ansible.builtin.package:
     name: "{{ analysis_packages_el6 }}"
     state: latest
   when: leapp_upgrade_type == 'rhui'
 
-- name: Lynx is installed for text report
+- name: analysis-preupg | Lynx is installed for text report
   ansible.builtin.package:
     name: lynx
     state: present
   notify: Remove lynx package
 
-- name: Filesystem capacity checks
+- name: analysis-preupg | Filesystem capacity checks
   ansible.builtin.script: check-inodes.sh
   changed_when: false
   when: bypass_fs_checks is not defined or (bypass_fs_checks is defined and bypass_fs_checks | lower != 'yes')
 
-- name: Run preupg
+- name: analysis-preupg | Run preupg
   ansible.builtin.shell: >
-    export PATH={{ os_path }};
     set -o pipefail;
+    export PATH={{ os_path }};
     preupg --force --text
     2>&1 | tee -a {{ log_file }}
   register: preupg
@@ -60,25 +62,26 @@
   async: "{{ async_timeout_maximum | int }}"
   poll: "{{ async_poll_interval | int }}"
   failed_when: false
+  changed_when: true
 
-- name: Assert that preupg did not encounter errors
+- name: analysis-preupg | Assert that preupg did not encounter errors
   ansible.builtin.assert:
     that: not preupg_return_codes[preupg.rc].fail
     msg: "{{ preupg_return_codes[preupg.rc].msg }}"
 
-- name: Include check-results-file.yml
+- name: analysis-preupg | Include check-results-file.yml
   ansible.builtin.include_tasks: check-results-file.yml
 
-- name: Collect human readable report results
+- name: analysis-preupg | Collect human readable report results
   ansible.builtin.slurp:
     src: "{{ result_filename }}"
   register: results
 
-- name: Parse report results
+- name: analysis-preupg | Parse report results
   ansible.builtin.set_fact:
     preupg_report_txt: "{{ (results.content | b64decode).split('\n') }}"
 
-- name: Check for inhibitors
+- name: analysis-preupg | Check for inhibitors
   ansible.builtin.set_fact:
     upgrade_inhibited: "{{ preupg_return_codes[preupg.rc].inhibited }}"