Skip to content

chore(ci): add CI workflow and Dependabot hardening#81

Open
t0kubetsu wants to merge 11 commits into
devfrom
feat/ci-hardening
Open

chore(ci): add CI workflow and Dependabot hardening#81
t0kubetsu wants to merge 11 commits into
devfrom
feat/ci-hardening

Conversation

@t0kubetsu

@t0kubetsu t0kubetsu commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • ruff + pytest on python:3.13-slim + pip/github-actions Dependabot

Closes #80

Changes

  • .github/workflows/ci.yml — CI pipeline running in a containerised Debian/Python/Node image
  • .github/dependabot.yml — automated dependency updates

Test plan

  • CI runs green on this PR
  • Dependabot alerts enabled in repo settings

t0kubetsu added 11 commits June 9, 2026 17:17
@t0kubetsu
chore(ci): add CI workflow and Dependabot hardening
81291cc 
- CI runs inside containerised Debian/Python/Node images (not bare ubuntu-latest)
- Dependabot enabled for package ecosystem + github-actions
@t0kubetsu
fix(ci): split workflow into ansible-lint + conditional python jobs
707e99b 
dev branch has no pyproject.toml (Python package lives on
feat/r42playbooks-generator). The previous single job failed with
"does not appear to be a Python project". Now:
- ansible-lint always runs on bundles/
- ruff+pytest only run when pyproject.toml exists (hashFiles guard)
@t0kubetsu
fix(ci): fix python job condition and relax ansible-lint profile
443de07 
Job-level hashFiles() evaluates before checkout so the workspace is always
empty; replace with a step-level shell test writing to GITHUB_OUTPUT.
Also drop --profile=production (incompatible with org conventions) and add
.ansible-lint config with profile:basic.
@t0kubetsu
fix(ci): expand ansible-lint skip_list for bundles (syntax-check, nam…
55e6c92 
…e rules)
@t0kubetsu
fix(ci): replace unskippable syntax-check with mock_roles for cross-r…
413fa3d 
…epo stubs

ansible-lint 6.x rejects syntax-check in skip_list; stub the catalog
and proxmox-controller roles with mock_roles so syntax-check passes
without cross-repo checkouts.
@t0kubetsu
fix(ci): add missing catalog roles to mock_roles + skip jinja[spacing…
18e15f9 
…] + stub global_vm_ssh_name
@t0kubetsu
fix(ci): add software.install.wazuh-agent to mock_roles
0582420 
Role lives in range42-catalog which is not checked out in CI;
stub it so ansible-lint syntax-check passes.
@t0kubetsu
ci(workflow): fix push branch triggers — feat/** + fix/** replace fea…
4d7d973 
…ture/**
@t0kubetsu
chore(ci): bump actions/checkout to v6
f9f5f51
@t0kubetsu
chore(ci): upgrade ruff check to --select ALL
cde1440
@t0kubetsu
chore(ci): scope ruff to r42playbooks/ — exclude tests from --select ALL
90d37d8
@t0kubetsu t0kubetsu force-pushed the feat/ci-hardening branch from da13c06 to 90d37d8 Compare June 9, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@t0kubetsu