Add CI, pre-commit hooks

.github/workflows/lint.yml

@@ -0,0 +1,13 @@
+# .github/workflows/ansible-lint.yml
+name: ansible-lint
+on:
+  pull_request:
+    branches: ["main"]
+jobs:
+  build:
+    name: Ansible Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/[email protected]

.pre-commit-config.yaml

@@ -0,0 +1,31 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+    - id: trailing-whitespace
+    - id: end-of-file-fixer
+    - id: check-yaml
+    - id: check-added-large-files
+
+- repo: https://github.com/ansible-community/ansible-lint
+  rev: v24.2.1
+  hooks:
+    - id: ansible-lint
+      always_run: false
+      files: ^.*.yml
+      exclude: .github
+      additional_dependencies:
+        - ansible-core>=2.16.0
+      args: [
+        "--exclude", ".pre-commit-config.yaml",
+        "--exclude", "roles/" # Exclude roles for now.
+      ]
+
+
+- repo: https://github.com/python-jsonschema/check-jsonschema
+  rev: 0.28.0
+  hooks:
+    - id: check-github-workflows
+    - id: check-dependabot

apiservers.yml

@@ -1,13 +1,13 @@
 # file: apiservers.yml
 #
 ---
-
-- hosts: api
+- name: Deploy API servers
+  hosts: api
   roles:
-    # ansible-galaxy install geerlingguy.nodejs
-    - { role: geerlingguy.nodejs, become: yes }
-    # ansible-galaxy install Oefenweb.yarn
-    - { role: Oefenweb.yarn, become: yes }
+    - role: geerlingguy.nodejs
+      become: true
+    - role: Oefenweb.yarn
+      become: true
   vars:
     nodejs_version: "10.x"
     nodejs_npm_global_packages:
@@ -25,51 +25,54 @@
         gecos: "RCIAM COmanage Registry API Server,,,"
         shell: /bin/bash
         home: /srv/comanage-registry-simple-membership-api
-        
+
   tasks:
     - name: Ensure RCIAM API dependencies are installed
-      apt:
-        name:
-          - git
+      become: true
+      ansible.builtin.apt:
+        name: git
         state: present
-        install_recommends: no
-        update_cache: yes
+        install_recommends: false
+        update_cache: true
         cache_valid_time: 86400
-      become: yes
+
 
     - name: Ensure RCIAM COmanage Registry API group exists
-      group:
+      become: true
+      ansible.builtin.group:
         name: "{{ rciam_api.user.group }}"
-        system: yes
-      become: yes
+        system: true
 
     - name: Ensure RCIAM COmanage Registry API user exists
-      user:
+      become: true
+      ansible.builtin.user:
         name: "{{ rciam_api.user.name }}"
         groups: "{{ rciam_api.user.group }}"
-        comment: "{{ rciam_api.user.gecos }}" 
+        comment: "{{ rciam_api.user.gecos }}"
         shell: "{{ rciam_api.user.shell }}"
         home: "{{ rciam_api.user.home }}"
-        system: yes
-        create_home: yes
+        system: true
+        create_home: true
         skeleton: "/empty"
-      become: yes
+
 
     - name: Ensure RCIAM COmanage Registry API code checkout directory exists
-      file:
+      become: true
+      ansible.builtin.file:
         path: "{{ rciam_api.path }}"
         owner: "{{ rciam_api.user.name }}"
         group: "{{ rciam_api.user.group }}"
         state: directory
-      become: yes
+        mode: "0775"
+
 
     - name: Ensure RCIAM COmanage Registry API code checkout is up-to-date
-      git:
+      become: true
+      become_user: "{{ rciam_api.user.name }}"
+      ansible.builtin.git:
         repo: "{{ rciam_api.repo_url }}"
         dest: "{{ rciam_api.path }}"
         version: "{{ rciam_api.repo_version }}"
-      become: yes
-      become_user: "{{ rciam_api.user.name }}"
       notify: Restart RCIAM COmanage Registry API processes
 
     # TODO- name: Ensure RCIAM COmanage Registry API current symlink to code checkout directory exists
@@ -82,52 +85,55 @@
     #  become: yes
 
     - name: Ensure RCIAM COmanage Registry API is configured
-      template:
+      become: true
+      ansible.builtin.template:
         src: "{{ playbook_dir }}/templates/comanage-registry-simple-membership-api/settings.js.j2"
         dest: "{{ rciam_api.path }}/settings.js"
         owner: "{{ rciam_api.user.name }}"
         group: "{{ rciam_api.user.group }}"
-        mode: 0400
-        backup: yes
-      become: yes
+        mode: "0400"
+        backup: true
       notify: Restart RCIAM COmanage Registry API processes
 
     - name: Ensure RCIAM COmanage Registry API packages are installed
-      yarn:
-        path: "{{ rciam_api.path }}"
-        production: yes
-      become: yes
+      become: true
       become_user: "{{ rciam_api.user.name }}"
+      community.general.yarn:
+        path: "{{ rciam_api.path }}"
+        production: true
 
   handlers:
-
     - name: Delete existing RCIAM COmanage Registry API pm2 processes if running
-      command:
+      become: true
+      become_user: "{{ rciam_api.user.name }}"
+      ansible.builtin.command: # noqa: no-changed-when
         cmd: "/usr/local/lib/npm/bin/pm2 delete {{ rciam_api.name }}"
         chdir: "{{ rciam_api.path }}"
-      ignore_errors: yes
-      become: yes
-      become_user: "{{ rciam_api.user.name }}"
+      ignore_errors: true  # noqa: ignore-errors
+      # failed_when: # Add acceptable failure conditions
       listen: Restart RCIAM COmanage Registry API processes
 
     - name: Ensure RCIAM COmanage Registry API pm2 processes are running
-      command:
+      become: true
+      become_user: "{{ rciam_api.user.name }}"
+      ansible.builtin.command: # noqa: no-changed-when
         cmd: "/usr/local/lib/npm/bin/pm2 start server.js -i 2 --name {{ rciam_api.name }}"
         chdir: "{{ rciam_api.path }}"
-      become: yes
-      become_user: "{{ rciam_api.user.name }}"
+      # changed_when: # Add acceptable change conditions to ensure idempotency
       listen: Restart RCIAM COmanage Registry API processes
 
     - name: Ensure RCIAM COmanage Registry API init script exists
-      command:
+      become: true
+      ansible.builtin.command: # noqa: no-changed-when
         cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 startup systemd -u {{ rciam_api.user.name }} --hp {{ rciam_api.user.home }}"
-      become: yes
+      # changed_when: # Add acceptable change conditions to ensure idempotency
       listen: Restart RCIAM COmanage Registry API processes
-  
+
     - name: Ensure RCIAM COmanage Registry API process list is saved
-      command:
+      become: true
+      become_user: "{{ rciam_api.user.name }}"
+      ansible.builtin.command: # noqa: no-changed-when
         cmd: "/usr/local/lib/npm/lib/node_modules/pm2/bin/pm2 save"
         chdir: "{{ rciam_api.path }}"
-      become: yes
-      become_user: "{{ rciam_api.user.name }}"
       listen: Restart RCIAM COmanage Registry API processes
+      # changed_when: # Add acceptable change conditions to ensure idempotency

requirements.txt

@@ -1,4 +1,7 @@
-ansible==2.10.7
+ansible==9.3.0
+ansible-base==2.10.17
+ansible-core==2.16.4
+ansible-lint==24.2.1
 dnspython==2.1.0
 passlib==1.7.4
 jmespath==0.10.0

requirements.yml

@@ -0,0 +1,10 @@
+- name: ipr-cnrs.nftables
+  version: v2.2.1
+- name: arillso.logrotate
+  version: 1.6.1
+- name: geerlingguy.nodejs
+  version: 7.0.0
+- name: Oefenweb.yarn
+  version: v1.0.52
+- name: infOpen.openjdk-jdk
+  version: 0.4.0