add ansible-lint to CI

.github/workflows/ansible-lint.yml

@@ -0,0 +1,55 @@
+# .github/workflows/ansible-lint.yml
+name: ansible-lint
+on:
+  pull_request:
+    branches: ["master"]
+  push:
+
+env:
+  ansible_lint_version: v24.5.0
+
+jobs:
+  build:
+    name: Ansible Lint # Naming the build is important to use it as a status check
+    runs-on: ubuntu-latest
+    container: almalinux:9
+    steps:
+      - uses: actions/checkout@v4
+
+      # - name: Run ansible-lint
+      #   uses: ansible/[email protected] # or version tag instead of 'main'
+
+      - name: Install dnf dependencies
+        run: |
+          dnf -y install epel-release git-core python3.12 python3.12-pip wget
+
+
+      # Due to GHA limitation, caching works only for files within GITHUB_WORKSPACE
+      # folder, so we are forced to stick this temporary file inside .git, so it
+      # will not affect the linted repository.
+      # https://github.com/actions/toolkit/issues/1035
+      # https://github.com/actions/setup-python/issues/361
+      - name: Generate .git/ansible-lint-requirements.txt
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          curl --create-dirs -o ${{ github.workspace}}/.git/ansible-lint-requirements.txt \
+          https://raw.githubusercontent.com/ansible/ansible-lint/$ansible_lint_version/.config/requirements-lock.txt
+
+      - name: Install ansible-lint
+        shell: bash
+        # We need to set the version manually because $GITHUB_ACTION_PATH is not
+        # a git clone and setuptools-scm would not be able to determine the version.
+        # git+https://github.com/ansible/ansible-lint@${{ github.action_ref || 'main' }}
+        # SETUPTOOLS_SCM_PRETEND_VERSION=${{ github.action_ref || 'main' }}
+        # if we need to version lock example:
+        # pip3.12 install "ansible-lint[lock] @ git+https://github.com/ansible/ansible-lint@$ansible_lint_version"
+        run: |
+          cd $GITHUB_ACTION_PATH
+          pip3.12 install "ansible-lint[lock]"
+          ansible-lint --version
+
+      - name: Run ansible-lint
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: ansible-lint

requirements.yml

@@ -1,8 +1,11 @@
 ---
 collections:
+    - name: ansible.posix
     - name: devsec.hardening
     - name: freeipa.ansible_freeipa
     - name: community.hashi_vault
+    - name: community.zabbix
+    - name: community.general
 
 roles:
     - name: artis3n.tailscale

roles/common/handlers/firewalld_handler.yml

@@ -0,0 +1,5 @@
+---
+- name: Reload firewalld
+  ansible.builtin.service:
+    name: firewalld
+    state: reloaded

roles/common/handlers/main.yml

@@ -1,2 +1,3 @@
 ---
+- ansible.builtin.import_tasks: firewalld_handler.yml # noqa name[missing]
 - ansible.builtin.import_tasks: zabbix_handler.yml # noqa name[missing]

roles/common/tasks/zabbix.yml

@@ -5,7 +5,7 @@
     state: present
     permanent: true
   notify:
-    - reload firewalld
+    - Reload firewalld
   tags:
     - firewalld
     - zabbix