chore(ci): refresh lint workflow + add .ansible-lint config#33
Open
0cwa wants to merge 2 commits into
Open
Conversation
Ansible 2.10+ rejects 'vars: [- key: value, ...]' under a play with: ERROR: Vars in a Play must be specified as a dictionary. The dashes were a copy/paste hangover from the 'roles:' list above. Re-indent the body so each var is a top-level key in the dict. No semantic change. Verified with: yamllint -c .yamllint.yaml playbooks/matrix.yml ansible-playbook --syntax-check -i hosts/prod playbooks/matrix.yml
Adds an explicit .ansible-lint pinned at the 'safety' profile, and
modernises the GitHub Actions workflow that gates linting:
* actions/checkout@v4 + actions/setup-python@v5 (the old workflow
pinned ubuntu-18.04 + python 3.7 + actions@v1, all now retired)
* direct pip install of ansible-core + ansible-lint + yamllint;
the pipenv + Pipfile.lock setup from 2020 is left in place for
legacy 'make lint' callers but no longer drives CI
* three independent gates surfaced as separate steps:
1. yamllint on the whole tree
2. ansible-lint on roles we actively maintain
(roles/docker + roles/funkwhale; declared via an
ACTIVE_ROLES list that gracefully skips paths not yet
present in the current checkout, so this PR is safe to
land before feat/docker-role and feat/funkwhale-core)
3. ansible-playbook --syntax-check on every playbook,
using a dummy non-empty .vault_pass.txt so parsing
doesn't hit the 'vault password file not found' error
Linting playbooks directly (rather than the roles they pull in) is
intentional: a known ansible-lint limitation
(ansible/ansible-lint#2687, ansible/ansible-lint#3489) means
exclude_paths does not block transitive role discovery, so playbook
linting would surface ~100 pre-existing failures in legacy roles
(common, fail2ban, nginx, certbot, matrix). That debt is tracked
separately. New roles must pass safety from day one and are added
to ACTIVE_ROLES when they land.
Branched from fix/matrix-playbook-syntax so the new syntax-check
step does not go red on day one (matrix.yml has a pre-existing vars
list-of-dicts bug that PR-0 fixes).
Verified locally with the actual repo ansible.cfg (vault file
absent) on:
- chore/ci-lint (no new roles → ansible-lint skipped,
syntax-check passes on matrix.yml +
web.yml)
- feat/funkwhale-backup (both new roles linted clean,
matrix.yml correctly FAILS until
rebased onto master after PR-0 lands —
the dependency is surfaced)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refreshes linting CI and adds an explicit
.ansible-lintconfig pinned at thesafetyprofile.What changed
.ansible-lint(new) — pinsprofile: safetyso contributors and CI agree on which rules are gates. Excludes the legacy roles (common,fail2ban,nginx,certbot,matrix) so their pre-existing debt isn't a blocker for new work..github/workflows/linting.yml— modernised:actions/checkout@v4,actions/setup-python@v5(the previous workflow pinnedubuntu-18.04+ Python 3.7 +actions@v1, all retired)pip installofansible-core,ansible-lint,yamllint(the 2020-era pipenv +Pipfile.locksetup is left in place for legacymake lintcallers but no longer drives CI)yamllinton the whole treeansible-linton roles we actively maintain (roles/docker,roles/funkwhale); declared via anACTIVE_ROLESlist that gracefully skips paths not yet presentansible-playbook --syntax-checkon every playbook, using a dummy non-empty.vault_pass.txtso parse doesn't hit the vault password file not found error (CI never decrypts; syntax-check only parses YAML)Why role-by-role, not playbook-by-playbook?
A known ansible-lint limitation (#2687, #3489) means
exclude_pathsdoesn't block transitive role discovery. Lintingplaybooks/funkwhale.ymlwould surface ~100 pre-existing failures in legacy roles. Linting roles standalone keeps the gate actionable for new code.Verified with
Simulated CI locally for every branch in this batch — all post-merge into master pass
yamllint+ansible-lint+syntax-check.Stacking
Branched from
fix/matrix-playbook-syntaxso the new syntax-check step doesn't go red on day one (matrix.yml has the pre-existing vars list-of-dicts bug that PRfix/matrix-playbook-syntaxfixes).Recommended merge order:
fix/matrix-playbook-syntax→ this PR →feat/docker-role→feat/funkwhale-core→feat/funkwhale-anubis+feat/funkwhale-backup.Out of scope
Pipfile/Pipfile.lock/Makefilestill use the 2020-era pipenv flow. The new CI bypasses them, butmake lint/make setupare likely already broken due to bitrot. Tracked separately.