CI: Add ansible-lint workflow for Ansible playbooks

[hassaansaleem28]

Proposed change

Resolves #3747

Description

Adds a local Make target and a dedicated GitHub Actions workflow to run ansible‑lint on .github/ansible/** in PRs.

Why

Catches Ansible playbook issues early (syntax, deprecated patterns, best‑practice violations) before deployment.

Changes

• New workflow: ansible‑lint on .github/ansible/**
• New Make target: make lint-ansible
• Skip ansible‑lint yaml rule to avoid conflicts with existing repo yamllint config

Notes

• YAML syntax is already covered by the existing yamllint checks.
• Local ansible-lint may show a warning about .yamllint compatibility, CI still runs and passes.
• Files under .github/ansible/* are YAML files, but yamllint only validates syntax/format. ansible lint adds Ansible‑specific checks (modules, best practices, deprecations), which is why this workflow is needed.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Walkthrough

Adds ansible-lint to pre-commit for .github/ansible playbooks, a Makefile lint-ansible target, an ansible.posix collection declared in requirements.yml, and standardizes module qualification and idempotence handling across .github/ansible/** playbooks.

Changes

Cohort / File(s)	Summary
Pre-commit configuration \.pre-commit-config.yaml	Adds repo: https://github.com/ansible/ansible-lint at rev: v26.1.1 with hook id: ansible-lint, files: ^\.github/ansible/.*\.ya?ml$, and pass_filenames: true.
Makefile Makefile	Adds lint-ansible target that runs the ansible-lint pre-commit hook and adds it to .PHONY.
Ansible collections / lint config requirements.yml, .ansible-lint	Adds requirements.yml declaring ansible.posix collection; .ansible-lint updated to include a skip_list entry for YAML files.
Ansible playbooks (production & staging) .github/ansible/production/nest.yaml, .github/ansible/production/proxy.yaml, .github/ansible/staging/nest.yaml, .github/ansible/staging/proxy.yaml	Replaces implicit module calls with fully qualified modules (e.g., copy → ansible.builtin.copy, synchronize → ansible.posix.synchronize), adds changed_when: false to several tasks, adds some noqa comments, and changes certain shell/command usages to explicit ansible.builtin.* modules.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ci

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CI: Add ansible-lint workflow for Ansible playbooks' clearly and concisely summarizes the main change: adding ansible-lint CI workflow.
Description check	✅ Passed	The description thoroughly explains the proposed changes, rationale, implementation details, and notes about YAML rule skipping and compatibility.
Linked Issues check	✅ Passed	The PR successfully addresses all objectives from #3747: integrates ansible-lint into CI targeting .github/ansible/**, catches errors and violations, prevents regressions, and implements the workflow with necessary configuration fixes.
Out of Scope Changes check	✅ Passed	All changes are scoped to ansible-lint integration: .pre-commit-config.yaml adds ansible-lint hook, Makefile adds lint-ansible target, playbooks use fully-qualified module names to pass linting, and requirements.yml resolves Ansible dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/lint-ansible.yaml:
- Around line 18-24: Add version-tag comments next to the pinned action SHAs
used in the workflow so future readers know which release each SHA refers to:
update the uses entries for
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and
ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0 by appending
inline comments with their corresponding tags (actions/checkout v6.0.2 and
ansible/ansible-lint v26.1.1) to improve maintainability while keeping the SHA
pins intact.

🧹 Nitpick comments (1)

.github/workflows/lint-ansible.yaml (1)

3-7: Consider adding the workflow file itself to the paths filter.

Changes to this workflow file (.github/workflows/lint-ansible.yaml) won't trigger a CI run because it isn't included in the paths filter. This means modifications to the linting configuration or action versions won't be validated until an unrelated Ansible file change triggers the workflow.

Proposed fix

 on:
   pull_request:
     paths:
       - .github/ansible/**
+      - .github/workflows/lint-ansible.yaml
   workflow_dispatch:

[hassaansaleem28]

just a quick note:
ansible-lint's yaml rule conflicts with the repo's .yamllint config so i skip that rule and rely on exisiting yamllint checks for YAML syntax.

[arkid15r]

Can we have it as a part of our general approach available both locally and on CI/CD?

[hassaansaleem28]

sure
i can add a makefile target for local use and update the workflow.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.pre-commit-config.yaml:
- Around line 91-98: The ansible-lint pre-commit hook (hook id: ansible-lint)
currently passes args only for the target path; update the hook configuration in
.pre-commit-config.yaml to add the --skip-list yaml argument so local runs match
CI and skip the conflicting yaml rule; locate the ansible-lint hook block (repo:
https://github.com/ansible/ansible-lint, id: ansible-lint) and append
--skip-list yaml to its args array alongside the existing .github/ansible entry.
- Line 92: Update the ansible-lint pre-commit hook to the latest release by
changing the rev value from "v24.7.0" to "v26.1.1" in .pre-commit-config.yaml
(look for the ansible-lint hook entry and the line "rev: v24.7.0"); ensure the
hook id remains "ansible-lint" and run pre-commit autoupdate or a local
pre-commit run to verify the new version installs and passes.

🧹 Nitpick comments (1)

Makefile (1)

66-67: Minor: Add @ prefix for consistency with other targets.

Other pre-commit invocations in this Makefile (e.g., Line 54) use the @ prefix to suppress command echoing. This target should follow the same convention.

Proposed fix

 lint-ansible:
-	pre-commit run ansible-lint --all-files
+	`@pre-commit` run ansible-lint --all-files

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="Makefile">

<violation number="1" location="Makefile:67">
P2: `make lint-ansible` no longer skips the ansible-lint `yaml` rule. The pre-commit hook doesn’t add `--skip-list yaml`, so the previous behavior is lost and this target will start enforcing ansible-lint’s YAML formatting rules again. If the skip is still desired, pass it through the pre-commit run.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[hassaansaleem28]

Locally we can run make lint-ansible and also with pre-commit it will work.
In CI, pre-commit job will run so ansible lint will also run.

[arkid15r]

I'm not sure what value it adds. I tried to test it and it didn't complain about

[arkid15r]

The pre-commit fails with a lot of errors now.

You should also start using our PR template including the AI related part

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/ansible/production/nest.yaml:
- Line 11: Add a step in both CI jobs (deploy-staging-nest and
deploy-production-nest) to run "ansible-galaxy collection install -r
requirements.yml" before invoking ansible-playbook so the ansible.posix
collection (required for ansible.posix.synchronize) is installed on the runner;
update the workflow to run that command (using the repository checkout and
correct working-directory if needed) immediately prior to the ansible-playbook
step in each job.

In @.github/ansible/staging/nest.yaml:
- Around line 23-28: The task name "Update Makefiles for production environment"
is incorrect for this staging playbook; update the task name string to reflect
staging (e.g., "Update Makefiles for staging environment") so it matches the sed
commands that replace nest-*- to staging-nest-*; locate the Ansible task with
that exact name and change it to mention "staging" (leave the
ansible.builtin.shell block and sed lines unchanged).

🧹 Nitpick comments (1)

.github/ansible/production/proxy.yaml (1)

23-26: changed_when: false masks real state changes on deployment tasks.

docker compose up -d --pull always && docker compose restart always mutates host state (pulling images, recreating containers). Marking it changed_when: false suppresses meaningful change reporting. For a deploy playbook this is a pragmatic trade-off to silence no-changed-when, but be aware it hides actual drift from any callback/reporting plugin.

If you want more accurate reporting, consider registering the result and using a condition like changed_when: "'Started' in result.stdout" or similar.

[hassaansaleem28]

The pre-commit fails with a lot of errors now.

You should also start using our PR template including the AI related part

Roger that.
I have already started that in my upcoming PRs.

Fix pushed. Now that check passes (we have to follow ansible lint rules now).

One thing : i added a minimal .ansible-lint at root so it stop enforcing stricter yaml rules and conflict with existing yamllint which already do well. Rest looks good to me.

[cubic-dev-ai]

2 issues found across 9 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/ansible/staging/nest.yaml">

<violation number="1" location=".github/ansible/staging/nest.yaml:56">
P2: Missing `run_once: true` directive. This task is delegated to localhost and was previously configured to run only once regardless of the number of target hosts. Without `run_once: true`, the secret cleanup will execute redundantly for each host in the inventory group.</violation>
</file>

<file name=".github/ansible/production/nest.yaml">

<violation number="1" location=".github/ansible/production/nest.yaml:51">
P2: Missing `run_once: true` directive changes playbook behavior. This task delegates to localhost to clean up secret files - without `run_once`, it will run once per host in the inventory (redundantly deleting the same files). The original code had `run_once: true` for a reason. To satisfy ansible-lint while preserving behavior, keep `run_once` with the noqa comment.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.68%. Comparing base (1e1da21) to head (8ddc926).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3796   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files         463      463           
  Lines       14420    14420           
  Branches     1939     1939           
=======================================
  Hits        13509    13509           
  Misses        535      535           
  Partials      376      376           

Flag	Coverage Δ
backend	95.65% <ø> (ø)
frontend	88.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1e1da21...8ddc926. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkid15r]

Okay, let's see if it works.

[arkid15r]

@hassaansaleem28 you have useful ideas but you don't get your implementations fully benefit from them 27e6d1f

[hassaansaleem28]

@hassaansaleem28 you have useful ideas but you don't get your implementations fully benefit from them 27e6d1f

@arkid15r Thank you so much for your feedback (also for the merge), you're right. I will surely improve in this with time in my upcoming PRs. From now on, I will ensure that the implementation fully matches the intent.