From 4357a49f2b7093de188f46da0326aebd4dddc6c0 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Fri, 6 Feb 2026 08:00:33 +0500 Subject: [PATCH 01/12] ci: add ansible-lint workflow Signed-off-by: Muhammad Hassaan Saleem --- .github/workflows/lint-ansible.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/lint-ansible.yaml diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml new file mode 100644 index 0000000000..e7274189f3 --- /dev/null +++ b/.github/workflows/lint-ansible.yaml @@ -0,0 +1,24 @@ +name: Lint Ansible + +on: + pull_request: + paths: + - .github/ansible/** + workflow_dispatch: + +permissions: {} + +jobs: + ansible-lint: + name: Run ansible-lint + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Check out repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + + - name: Run ansible-lint + uses: ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0 + with: + args: --skip-list yaml .github/ansible From 41468fbb8608c8d0245137d32cc8453c7cb1897c Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Fri, 6 Feb 2026 08:26:12 +0500 Subject: [PATCH 02/12] Update .github/workflows/lint-ansible.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .github/workflows/lint-ansible.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml index e7274189f3..2bf4af5c29 100644 --- a/.github/workflows/lint-ansible.yaml +++ b/.github/workflows/lint-ansible.yaml @@ -16,9 +16,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run ansible-lint - uses: ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0 + uses: ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0 # v26.1.1 with: args: --skip-list yaml .github/ansible From d591f4efc6575f76c707778d164fd403e0bbb535 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Fri, 6 Feb 2026 10:12:23 +0500 Subject: [PATCH 03/12] ci: add ansible-lint make target and workflow Signed-off-by: Muhammad Hassaan Saleem --- .github/workflows/lint-ansible.yaml | 14 ++++++++++---- Makefile | 5 ++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml index 2bf4af5c29..a5480d7a39 100644 --- a/.github/workflows/lint-ansible.yaml +++ b/.github/workflows/lint-ansible.yaml @@ -16,9 +16,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - name: Run ansible-lint - uses: ansible/ansible-lint@7f6abc5ef97d0fb043a0f3d416dfbc74399fbda0 # v26.1.1 + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 with: - args: --skip-list yaml .github/ansible + python-version: '3.13' + + - name: Install ansible-lint + run: pipx install ansible-lint==26.1.1 + + - name: Run ansible-lint + run: make lint-ansible diff --git a/Makefile b/Makefile index 0527fabe30..00e1a6b354 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ include frontend/Makefile .PHONY: build clean check pre-commit prune run scan-images security-scan security-scan-code \ security-scan-code-semgrep security-scan-code-trivy security-scan-images \ security-scan-backend-image security-scan-frontend-image test update \ - clean-trivy-cache + clean-trivy-cache lint-ansible MAKEFLAGS += --no-print-directory @@ -63,6 +63,9 @@ run: docker compose -f docker-compose/local/compose.yaml --project-name nest-local build && \ docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans +lint-ansible: + @ansible-lint --skip-list yaml .github/ansible + security-scan: \ security-scan-code \ security-scan-images From 3aeb9d4a997f40f58dd7aec192f0702991610f38 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Sat, 7 Feb 2026 10:07:20 +0500 Subject: [PATCH 04/12] ci: add ansible-lint pre-commit hook Signed-off-by: Muhammad Hassaan Saleem --- .github/workflows/lint-ansible.yaml | 30 ----------------------------- .pre-commit-config.yaml | 9 +++++++++ Makefile | 2 +- 3 files changed, 10 insertions(+), 31 deletions(-) delete mode 100644 .github/workflows/lint-ansible.yaml diff --git a/.github/workflows/lint-ansible.yaml b/.github/workflows/lint-ansible.yaml deleted file mode 100644 index a5480d7a39..0000000000 --- a/.github/workflows/lint-ansible.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: Lint Ansible - -on: - pull_request: - paths: - - .github/ansible/** - workflow_dispatch: - -permissions: {} - -jobs: - ansible-lint: - name: Run ansible-lint - permissions: - contents: read - runs-on: ubuntu-latest - steps: - - name: Check out repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - - - name: Set up Python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - with: - python-version: '3.13' - - - name: Install ansible-lint - run: pipx install ansible-lint==26.1.1 - - - name: Run ansible-lint - run: make lint-ansible diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a0fffc4946..a0087d3419 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -87,3 +87,12 @@ repos: rev: v2.12.1 hooks: - id: pyproject-fmt + + - repo: https://github.com/ansible/ansible-lint + rev: v24.7.0 + hooks: + - id: ansible-lint + args: + - .github/ansible + files: ^\.github/ansible/.*\.ya?ml$ + pass_filenames: false \ No newline at end of file diff --git a/Makefile b/Makefile index 00e1a6b354..245cb59062 100644 --- a/Makefile +++ b/Makefile @@ -64,7 +64,7 @@ run: docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans lint-ansible: - @ansible-lint --skip-list yaml .github/ansible + pre-commit run ansible-lint --all-files security-scan: \ security-scan-code \ From b3d73a641a3f9808fb9e0a6a1265df0de3f378bb Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Sat, 7 Feb 2026 10:13:17 +0500 Subject: [PATCH 05/12] fix: whitespace & version Signed-off-by: Muhammad Hassaan Saleem --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a0087d3419..9ec6628639 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -89,10 +89,10 @@ repos: - id: pyproject-fmt - repo: https://github.com/ansible/ansible-lint - rev: v24.7.0 + rev: v26.1.1 hooks: - id: ansible-lint args: - .github/ansible files: ^\.github/ansible/.*\.ya?ml$ - pass_filenames: false \ No newline at end of file + pass_filenames: false From 7a41d029009e8e644caa293e78278f4df17ab233 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Sat, 7 Feb 2026 10:20:11 +0500 Subject: [PATCH 06/12] Update Makefile Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 245cb59062..71f2936974 100644 --- a/Makefile +++ b/Makefile @@ -64,7 +64,7 @@ run: docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans lint-ansible: - pre-commit run ansible-lint --all-files + pre-commit run ansible-lint --all-files -- --skip-list yaml security-scan: \ security-scan-code \ From 8bbe0afb5fa7c928c5007ccf9161b402278a7587 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Sun, 8 Feb 2026 10:45:35 +0500 Subject: [PATCH 07/12] ci: enable ansible-lint scanning and add requirements.yml Signed-off-by: Muhammad Hassaan Saleem --- .pre-commit-config.yaml | 3 ++- Makefile | 2 +- requirements.yml | 2 ++ 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 requirements.yml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9ec6628639..cbfa58057f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -92,7 +92,8 @@ repos: rev: v26.1.1 hooks: - id: ansible-lint + language_version: python3 args: - .github/ansible files: ^\.github/ansible/.*\.ya?ml$ - pass_filenames: false + pass_filenames: true diff --git a/Makefile b/Makefile index 71f2936974..245cb59062 100644 --- a/Makefile +++ b/Makefile @@ -64,7 +64,7 @@ run: docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans lint-ansible: - pre-commit run ansible-lint --all-files -- --skip-list yaml + pre-commit run ansible-lint --all-files security-scan: \ security-scan-code \ diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000000..e3639a122c --- /dev/null +++ b/requirements.yml @@ -0,0 +1,2 @@ +collections: + - name: ansible.posix From 0dc210fec195943ff42e4b34641d0c1783732956 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Mon, 9 Feb 2026 06:59:06 +0500 Subject: [PATCH 08/12] chore(ansible):align linting and module usage Signed-off-by: Muhammad Hassaan Saleem --- .ansible-lint | 2 ++ .github/ansible/production/nest.yaml | 25 +++++++++++++++---------- .github/ansible/production/proxy.yaml | 10 ++++++---- .github/ansible/staging/nest.yaml | 25 +++++++++++++++---------- .github/ansible/staging/proxy.yaml | 10 ++++++---- 5 files changed, 44 insertions(+), 28 deletions(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000000..0460704163 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - yaml diff --git a/.github/ansible/production/nest.yaml b/.github/ansible/production/nest.yaml index 90f9594ca2..112f84a4ed 100644 --- a/.github/ansible/production/nest.yaml +++ b/.github/ansible/production/nest.yaml @@ -8,7 +8,7 @@ mode: '0644' - name: Sync Makefile structure - ansible.builtin.synchronize: + ansible.posix.synchronize: src: '{{ github_workspace }}/' dest: '~/' recursive: yes @@ -20,14 +20,15 @@ - '--include=*/**/**/Makefile' - '--exclude=*' - - name: Update Makefiles for production environment - shell: | + - name: Update Makefiles for production environment # noqa: command-instead-of-module risky-shell-pipe + ansible.builtin.shell: | sed -i '/e2e-\|fuzz-/! s/\bnest-backend\b/production-nest-backend/g' ~/backend/Makefile sed -i '/e2e-\|fuzz-/! s/\bnest-db\b/production-nest-db/g' ~/backend/Makefile sed -i 's/\bnest-frontend\b/production-nest-frontend/g' ~/frontend/Makefile + changed_when: false - name: Copy secrets - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/{{ item }}' dest: ~/ mode: '0400' @@ -38,9 +39,9 @@ - .env.frontend - .github.pem - - name: Clean up secrets + - name: Clean up secrets # noqa: run-once delegate_to: localhost - file: + ansible.builtin.file: path: '{{ github_workspace }}/{{ item }}' state: absent loop: @@ -52,7 +53,7 @@ run_once: true - name: Copy crontab - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/cron/production' dest: /tmp/production_crontab mode: '0600' @@ -60,17 +61,21 @@ - name: Install crontab ansible.builtin.command: cmd: crontab /tmp/production_crontab + changed_when: false - name: Restart services - shell: + ansible.builtin.command: cmd: docker compose up -d --pull always + changed_when: false - name: Prune docker images - shell: + ansible.builtin.command: cmd: docker image prune -f + changed_when: false - name: Index data async: 1800 # 30 minutes poll: 0 - shell: | + ansible.builtin.shell: | make index-data > /var/log/nest/production/index-data.log 2>&1 + changed_when: false diff --git a/.github/ansible/production/proxy.yaml b/.github/ansible/production/proxy.yaml index 0bf1bebccd..2add463f1b 100644 --- a/.github/ansible/production/proxy.yaml +++ b/.github/ansible/production/proxy.yaml @@ -2,7 +2,7 @@ hosts: production_nest_proxy tasks: - name: Copy proxy configuration files - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/proxy/{{ item }}' dest: ~/ mode: '0644' @@ -15,15 +15,17 @@ - redirects.conf - name: Copy docker compose file - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/docker-compose/proxy/compose.yaml' dest: ~/docker-compose.yaml mode: '0644' - name: Restart services - shell: + ansible.builtin.shell: cmd: docker compose up -d --pull always && docker compose restart + changed_when: false - name: Prune docker images - shell: + ansible.builtin.command: cmd: docker image prune -f + changed_when: false diff --git a/.github/ansible/staging/nest.yaml b/.github/ansible/staging/nest.yaml index 8986a6456c..1eacc41034 100644 --- a/.github/ansible/staging/nest.yaml +++ b/.github/ansible/staging/nest.yaml @@ -8,7 +8,7 @@ mode: '0644' - name: Sync Makefile structure - ansible.builtin.synchronize: + ansible.posix.synchronize: src: '{{ github_workspace }}/' dest: '~/' recursive: yes @@ -20,11 +20,12 @@ - '--include=*/**/**/Makefile' - '--exclude=*' - - name: Update Makefiles for staging environment - shell: | + - name: Update Makefiles for production environment # noqa: command-instead-of-module risky-shell-pipe + ansible.builtin.shell: | sed -i '/e2e-\|fuzz-/! s/\bnest-backend\b/staging-nest-backend/g' ~/backend/Makefile sed -i '/e2e-\|fuzz-/! s/\bnest-db\b/staging-nest-db/g' ~/backend/Makefile sed -i 's/\bnest-frontend\b/staging-nest-frontend/g' ~/frontend/Makefile + changed_when: false - name: Ensure data directory exists ansible.builtin.file: @@ -33,7 +34,7 @@ mode: '0755' - name: Copy secrets - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/{{ item }}' dest: ~/ mode: '0400' @@ -43,9 +44,9 @@ - .env.db - .env.frontend - - name: Clean up secrets + - name: Clean up secrets # noqa: run-once delegate_to: localhost - file: + ansible.builtin.file: path: '{{ github_workspace }}/{{ item }}' state: absent loop: @@ -56,7 +57,7 @@ run_once: true - name: Copy crontab - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/cron/staging' dest: /tmp/staging_crontab mode: '0600' @@ -64,17 +65,21 @@ - name: Install crontab ansible.builtin.command: cmd: crontab /tmp/staging_crontab + changed_when: false - name: Restart services - shell: + ansible.builtin.command: cmd: docker compose up -d --pull always + changed_when: false - name: Prune docker images - shell: + ansible.builtin.command: cmd: docker image prune -f + changed_when: false - name: Index data async: 1800 # 30 minutes poll: 0 - shell: | + ansible.builtin.shell: | make index-data > /var/log/nest/staging/index-data.log 2>&1 + changed_when: false diff --git a/.github/ansible/staging/proxy.yaml b/.github/ansible/staging/proxy.yaml index dc75d8c107..89ddcc2b54 100644 --- a/.github/ansible/staging/proxy.yaml +++ b/.github/ansible/staging/proxy.yaml @@ -2,7 +2,7 @@ hosts: staging_nest_proxy tasks: - name: Copy proxy configuration files - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/proxy/{{ item }}' dest: ~/ mode: '0644' @@ -15,15 +15,17 @@ - staging.conf - name: Copy docker compose file - copy: + ansible.builtin.copy: src: '{{ github_workspace }}/docker-compose/proxy/compose.yaml' dest: ~/docker-compose.yaml mode: '0644' - name: Restart services - shell: + ansible.builtin.shell: cmd: docker compose up -d --pull always && docker compose restart + changed_when: false - name: Prune docker images - shell: + ansible.builtin.command: cmd: docker image prune -f + changed_when: false From f2ea71bb5c21a5c1be041acc27df7de7dae2ac75 Mon Sep 17 00:00:00 2001 From: Muhammad Hassaan Saleem Date: Mon, 9 Feb 2026 07:15:19 +0500 Subject: [PATCH 09/12] ci(ansible): install collections before deploy playbooks Signed-off-by: Muhammad Hassaan Saleem --- .github/ansible/staging/nest.yaml | 2 +- .github/workflows/run-ci-cd.yaml | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/ansible/staging/nest.yaml b/.github/ansible/staging/nest.yaml index 1eacc41034..0c19008c53 100644 --- a/.github/ansible/staging/nest.yaml +++ b/.github/ansible/staging/nest.yaml @@ -20,7 +20,7 @@ - '--include=*/**/**/Makefile' - '--exclude=*' - - name: Update Makefiles for production environment # noqa: command-instead-of-module risky-shell-pipe + - name: Update Makefiles for staging environment # noqa: command-instead-of-module risky-shell-pipe ansible.builtin.shell: | sed -i '/e2e-\|fuzz-/! s/\bnest-backend\b/staging-nest-backend/g' ~/backend/Makefile sed -i '/e2e-\|fuzz-/! s/\bnest-db\b/staging-nest-db/g' ~/backend/Makefile diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 3c4b1b8cbc..1fb197486d 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -668,6 +668,9 @@ jobs: NEXTAUTH_URL=$NEXTAUTH_URL EOF + - name: Install Ansible collections + run: ansible-galaxy collection install -r requirements.yml + - name: Run Nest deploy working-directory: .github/ansible run: ansible-playbook -i inventory.yaml staging/nest.yaml -e "github_workspace=$GITHUB_WORKSPACE" @@ -704,6 +707,9 @@ jobs: $PROXY_SSH_PRIVATE_KEY EOF + - name: Install Ansible collections + run: ansible-galaxy collection install -r requirements.yml + - name: Run proxy deploy working-directory: .github/ansible run: ansible-playbook -i inventory.yaml staging/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE" @@ -1038,6 +1044,9 @@ jobs: "$NEST_GITHUB_APP_PRIVATE_KEY" EOF + - name: Install Ansible collections + run: ansible-galaxy collection install -r requirements.yml + - name: Run Nest deploy working-directory: .github/ansible run: ansible-playbook -i inventory.yaml production/nest.yaml -e "github_workspace=$GITHUB_WORKSPACE" @@ -1074,6 +1083,9 @@ jobs: $PROXY_SSH_PRIVATE_KEY EOF + - name: Install Ansible collections + run: ansible-galaxy collection install -r requirements.yml + - name: Run proxy deploy working-directory: .github/ansible run: ansible-playbook -i inventory.yaml production/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE" From 27e6d1fd669ff12cd04bf6b22b8e6d6310a2ee99 Mon Sep 17 00:00:00 2001 From: Arkadii Yakovets Date: Sun, 8 Feb 2026 19:58:07 -0800 Subject: [PATCH 10/12] Update code --- .ansible-lint | 2 - .github/ansible/production/nest.yaml | 153 +++++++++-------- .github/ansible/production/proxy.yaml | 13 +- .../ansible/requirements.yaml | 0 .github/ansible/staging/nest.yaml | 159 +++++++++--------- .github/ansible/staging/proxy.yaml | 13 +- .github/workflows/run-ci-cd.yaml | 12 +- .pre-commit-config.yaml | 20 +-- Makefile | 3 - 9 files changed, 205 insertions(+), 170 deletions(-) delete mode 100644 .ansible-lint rename requirements.yml => .github/ansible/requirements.yaml (100%) diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index 0460704163..0000000000 --- a/.ansible-lint +++ /dev/null @@ -1,2 +0,0 @@ -skip_list: - - yaml diff --git a/.github/ansible/production/nest.yaml b/.github/ansible/production/nest.yaml index 112f84a4ed..b727088a9e 100644 --- a/.github/ansible/production/nest.yaml +++ b/.github/ansible/production/nest.yaml @@ -1,81 +1,90 @@ - - name: Deploy Nest to Production - hosts: production_nest - tasks: - - name: Copy docker-compose.yaml - ansible.builtin.copy: - src: '{{ github_workspace }}/docker-compose/production/compose.yaml' - dest: ~/docker-compose.yaml - mode: '0644' +- name: Deploy Nest to Production + hosts: production_nest + tasks: + - name: Copy docker-compose.yaml + ansible.builtin.copy: + src: '{{ github_workspace }}/docker-compose/production/compose.yaml' + dest: ~/docker-compose.yaml + mode: '0644' - - name: Sync Makefile structure - ansible.posix.synchronize: - src: '{{ github_workspace }}/' - dest: '~/' - recursive: yes - rsync_opts: - - '--include=*/' - - '--include=Makefile' - - '--include=*/Makefile' - - '--include=*/**/Makefile' - - '--include=*/**/**/Makefile' - - '--exclude=*' + - name: Sync Makefile structure + ansible.posix.synchronize: + src: '{{ github_workspace }}/' + dest: '~/' + recursive: true + rsync_opts: + - '--include=*/' + - '--include=Makefile' + - '--include=*/Makefile' + - '--include=*/**/Makefile' + - '--include=*/**/**/Makefile' + - '--exclude=*' - - name: Update Makefiles for production environment # noqa: command-instead-of-module risky-shell-pipe - ansible.builtin.shell: | - sed -i '/e2e-\|fuzz-/! s/\bnest-backend\b/production-nest-backend/g' ~/backend/Makefile - sed -i '/e2e-\|fuzz-/! s/\bnest-db\b/production-nest-db/g' ~/backend/Makefile - sed -i 's/\bnest-frontend\b/production-nest-frontend/g' ~/frontend/Makefile - changed_when: false + - name: Update Makefiles for production environment + ansible.builtin.command: + argv: + - sed + - -i + - "{{ item.sed_expr }}" + - "{{ item.path }}" + loop: + - sed_expr: '/e2e-\|fuzz-/! s/\bnest-backend\b/production-nest-backend/g' + path: '{{ ansible_env.HOME }}/backend/Makefile' + - sed_expr: '/e2e-\|fuzz-/! s/\bnest-db\b/production-nest-db/g' + path: '{{ ansible_env.HOME }}/backend/Makefile' + - sed_expr: 's/\bnest-frontend\b/production-nest-frontend/g' + path: '{{ ansible_env.HOME }}/frontend/Makefile' + changed_when: false - - name: Copy secrets - ansible.builtin.copy: - src: '{{ github_workspace }}/{{ item }}' - dest: ~/ - mode: '0400' - loop: - - .env.backend - - .env.cache - - .env.db - - .env.frontend - - .github.pem + - name: Copy secrets + ansible.builtin.copy: + src: '{{ github_workspace }}/{{ item }}' + dest: ~/ + mode: '0400' + loop: + - .env.backend + - .env.cache + - .env.db + - .env.frontend + - .github.pem - - name: Clean up secrets # noqa: run-once - delegate_to: localhost - ansible.builtin.file: - path: '{{ github_workspace }}/{{ item }}' - state: absent - loop: - - .env.backend - - .env.cache - - .env.db - - .env.frontend - - .github.pem - run_once: true + - name: Clean up secrets + delegate_to: localhost + ansible.builtin.file: + path: '{{ github_workspace }}/{{ item }}' + state: absent + loop: + - .env.backend + - .env.cache + - .env.db + - .env.frontend + - .github.pem - - name: Copy crontab - ansible.builtin.copy: - src: '{{ github_workspace }}/cron/production' - dest: /tmp/production_crontab - mode: '0600' + - name: Copy crontab + ansible.builtin.copy: + src: '{{ github_workspace }}/cron/production' + dest: /tmp/production_crontab + mode: '0600' - - name: Install crontab - ansible.builtin.command: - cmd: crontab /tmp/production_crontab - changed_when: false + - name: Install crontab + ansible.builtin.command: + cmd: crontab /tmp/production_crontab + changed_when: false - - name: Restart services - ansible.builtin.command: - cmd: docker compose up -d --pull always - changed_when: false + - name: Restart services + ansible.builtin.command: + cmd: docker compose up -d --pull always + changed_when: false - - name: Prune docker images - ansible.builtin.command: - cmd: docker image prune -f - changed_when: false + - name: Prune docker images + ansible.builtin.command: + cmd: docker image prune -f + changed_when: false - - name: Index data - async: 1800 # 30 minutes - poll: 0 - ansible.builtin.shell: | - make index-data > /var/log/nest/production/index-data.log 2>&1 - changed_when: false + - name: Index data + async: 1800 # 30 minutes + poll: 0 + # Shell required for stdout/stderr redirect to log file. + ansible.builtin.shell: | + make index-data > /var/log/nest/production/index-data.log 2>&1 + changed_when: false diff --git a/.github/ansible/production/proxy.yaml b/.github/ansible/production/proxy.yaml index 2add463f1b..5c06a7200e 100644 --- a/.github/ansible/production/proxy.yaml +++ b/.github/ansible/production/proxy.yaml @@ -20,9 +20,18 @@ dest: ~/docker-compose.yaml mode: '0644' + - name: Pull and start services + ansible.builtin.command: + cmd: docker compose up -d --pull always + args: + chdir: "{{ ansible_env.HOME }}" + changed_when: false + - name: Restart services - ansible.builtin.shell: - cmd: docker compose up -d --pull always && docker compose restart + ansible.builtin.command: + cmd: docker compose restart + args: + chdir: "{{ ansible_env.HOME }}" changed_when: false - name: Prune docker images diff --git a/requirements.yml b/.github/ansible/requirements.yaml similarity index 100% rename from requirements.yml rename to .github/ansible/requirements.yaml diff --git a/.github/ansible/staging/nest.yaml b/.github/ansible/staging/nest.yaml index 0c19008c53..d234e8130f 100644 --- a/.github/ansible/staging/nest.yaml +++ b/.github/ansible/staging/nest.yaml @@ -1,85 +1,94 @@ - - name: Deploy Nest to Staging - hosts: staging_nest - tasks: - - name: Copy docker-compose.yaml - ansible.builtin.copy: - src: '{{ github_workspace }}/docker-compose/staging/compose.yaml' - dest: ~/docker-compose.yaml - mode: '0644' +- name: Deploy Nest to Staging + hosts: staging_nest + tasks: + - name: Copy docker-compose.yaml + ansible.builtin.copy: + src: '{{ github_workspace }}/docker-compose/staging/compose.yaml' + dest: ~/docker-compose.yaml + mode: '0644' - - name: Sync Makefile structure - ansible.posix.synchronize: - src: '{{ github_workspace }}/' - dest: '~/' - recursive: yes - rsync_opts: - - '--include=*/' - - '--include=Makefile' - - '--include=*/Makefile' - - '--include=*/**/Makefile' - - '--include=*/**/**/Makefile' - - '--exclude=*' + - name: Sync Makefile structure + ansible.posix.synchronize: + src: '{{ github_workspace }}/' + dest: '~/' + recursive: true + rsync_opts: + - '--include=*/' + - '--include=Makefile' + - '--include=*/Makefile' + - '--include=*/**/Makefile' + - '--include=*/**/**/Makefile' + - '--exclude=*' - - name: Update Makefiles for staging environment # noqa: command-instead-of-module risky-shell-pipe - ansible.builtin.shell: | - sed -i '/e2e-\|fuzz-/! s/\bnest-backend\b/staging-nest-backend/g' ~/backend/Makefile - sed -i '/e2e-\|fuzz-/! s/\bnest-db\b/staging-nest-db/g' ~/backend/Makefile - sed -i 's/\bnest-frontend\b/staging-nest-frontend/g' ~/frontend/Makefile - changed_when: false + - name: Update Makefiles for staging environment + ansible.builtin.command: + argv: + - sed + - -i + - "{{ item.sed_expr }}" + - "{{ item.path }}" + loop: + - sed_expr: '/e2e-\|fuzz-/! s/\bnest-backend\b/staging-nest-backend/g' + path: '{{ ansible_env.HOME }}/backend/Makefile' + - sed_expr: '/e2e-\|fuzz-/! s/\bnest-db\b/staging-nest-db/g' + path: '{{ ansible_env.HOME }}/backend/Makefile' + - sed_expr: 's/\bnest-frontend\b/staging-nest-frontend/g' + path: '{{ ansible_env.HOME }}/frontend/Makefile' + changed_when: false - - name: Ensure data directory exists - ansible.builtin.file: - path: ~/backend/data - state: directory - mode: '0755' + - name: Ensure data directory exists + ansible.builtin.file: + path: ~/backend/data + state: directory + mode: '0755' - - name: Copy secrets - ansible.builtin.copy: - src: '{{ github_workspace }}/{{ item }}' - dest: ~/ - mode: '0400' - loop: - - .env.backend - - .env.cache - - .env.db - - .env.frontend + - name: Copy secrets + ansible.builtin.copy: + src: '{{ github_workspace }}/{{ item }}' + dest: ~/ + mode: '0400' + loop: + - .env.backend + - .env.cache + - .env.db + - .env.frontend - - name: Clean up secrets # noqa: run-once - delegate_to: localhost - ansible.builtin.file: - path: '{{ github_workspace }}/{{ item }}' - state: absent - loop: - - .env.backend - - .env.cache - - .env.db - - .env.frontend - run_once: true + - name: Clean up secrets + delegate_to: localhost + ansible.builtin.file: + path: '{{ github_workspace }}/{{ item }}' + state: absent + loop: + - .env.backend + - .env.cache + - .env.db + - .env.frontend - - name: Copy crontab - ansible.builtin.copy: - src: '{{ github_workspace }}/cron/staging' - dest: /tmp/staging_crontab - mode: '0600' + - name: Copy crontab + ansible.builtin.copy: + src: '{{ github_workspace }}/cron/staging' + dest: /tmp/staging_crontab + mode: '0600' - - name: Install crontab - ansible.builtin.command: - cmd: crontab /tmp/staging_crontab - changed_when: false + - name: Install crontab + ansible.builtin.command: + cmd: crontab /tmp/staging_crontab + changed_when: false - - name: Restart services - ansible.builtin.command: - cmd: docker compose up -d --pull always - changed_when: false + - name: Restart services + ansible.builtin.command: + cmd: docker compose up -d --pull always + changed_when: false - - name: Prune docker images - ansible.builtin.command: - cmd: docker image prune -f - changed_when: false + - name: Prune docker images + ansible.builtin.command: + cmd: docker image prune -f + changed_when: false - - name: Index data - async: 1800 # 30 minutes - poll: 0 - ansible.builtin.shell: | - make index-data > /var/log/nest/staging/index-data.log 2>&1 - changed_when: false + - name: Index data + async: 1800 # 30 minutes + poll: 0 + # Shell required for stdout/stderr redirect to log file. + ansible.builtin.shell: | + make index-data > /var/log/nest/staging/index-data.log 2>&1 + changed_when: false diff --git a/.github/ansible/staging/proxy.yaml b/.github/ansible/staging/proxy.yaml index 89ddcc2b54..7eb0981065 100644 --- a/.github/ansible/staging/proxy.yaml +++ b/.github/ansible/staging/proxy.yaml @@ -20,9 +20,18 @@ dest: ~/docker-compose.yaml mode: '0644' + - name: Pull and start services + ansible.builtin.command: + cmd: docker compose up -d --pull always + args: + chdir: "{{ ansible_env.HOME }}" + changed_when: false + - name: Restart services - ansible.builtin.shell: - cmd: docker compose up -d --pull always && docker compose restart + ansible.builtin.command: + cmd: docker compose restart + args: + chdir: "{{ ansible_env.HOME }}" changed_when: false - name: Prune docker images diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 1fb197486d..79f902c0a0 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -669,7 +669,8 @@ jobs: EOF - name: Install Ansible collections - run: ansible-galaxy collection install -r requirements.yml + run: ansible-galaxy collection install -r requirements.yaml + working-directory: .github/ansible - name: Run Nest deploy working-directory: .github/ansible @@ -708,7 +709,8 @@ jobs: EOF - name: Install Ansible collections - run: ansible-galaxy collection install -r requirements.yml + run: ansible-galaxy collection install -r requirements.yaml + working-directory: .github/ansible - name: Run proxy deploy working-directory: .github/ansible @@ -1045,7 +1047,8 @@ jobs: EOF - name: Install Ansible collections - run: ansible-galaxy collection install -r requirements.yml + run: ansible-galaxy collection install -r requirements.yaml + working-directory: .github/ansible - name: Run Nest deploy working-directory: .github/ansible @@ -1084,7 +1087,8 @@ jobs: EOF - name: Install Ansible collections - run: ansible-galaxy collection install -r requirements.yml + run: ansible-galaxy collection install -r requirements.yaml + working-directory: .github/ansible - name: Run proxy deploy working-directory: .github/ansible diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cbfa58057f..acb5d8c91a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,6 +9,16 @@ repos: - --strict exclude: (.github|pnpm-lock.yaml) + - repo: https://github.com/ansible/ansible-lint + rev: v26.1.1 + hooks: + - id: ansible-lint + args: + - .github/ansible + files: ^\.github/ansible/.*\.ya?ml$ + language_version: python3 + pass_filenames: true + - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.15.0 hooks: @@ -87,13 +97,3 @@ repos: rev: v2.12.1 hooks: - id: pyproject-fmt - - - repo: https://github.com/ansible/ansible-lint - rev: v26.1.1 - hooks: - - id: ansible-lint - language_version: python3 - args: - - .github/ansible - files: ^\.github/ansible/.*\.ya?ml$ - pass_filenames: true diff --git a/Makefile b/Makefile index 245cb59062..3afdd3611c 100644 --- a/Makefile +++ b/Makefile @@ -63,9 +63,6 @@ run: docker compose -f docker-compose/local/compose.yaml --project-name nest-local build && \ docker compose -f docker-compose/local/compose.yaml --project-name nest-local up --remove-orphans -lint-ansible: - pre-commit run ansible-lint --all-files - security-scan: \ security-scan-code \ security-scan-images From d9ae9d75272cfcc90197f1e4370667c9b96f1899 Mon Sep 17 00:00:00 2001 From: Arkadii Yakovets Date: Sun, 8 Feb 2026 20:01:31 -0800 Subject: [PATCH 11/12] Update code --- .github/workflows/run-ci-cd.yaml | 8 ++++---- Makefile | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index 79f902c0a0..d5af535c84 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -673,8 +673,8 @@ jobs: working-directory: .github/ansible - name: Run Nest deploy - working-directory: .github/ansible run: ansible-playbook -i inventory.yaml staging/nest.yaml -e "github_workspace=$GITHUB_WORKSPACE" + working-directory: .github/ansible timeout-minutes: 5 deploy-staging-nest-proxy: @@ -713,8 +713,8 @@ jobs: working-directory: .github/ansible - name: Run proxy deploy - working-directory: .github/ansible run: ansible-playbook -i inventory.yaml staging/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE" + working-directory: .github/ansible timeout-minutes: 5 run-staging-lighthouse-ci: @@ -1051,8 +1051,8 @@ jobs: working-directory: .github/ansible - name: Run Nest deploy - working-directory: .github/ansible run: ansible-playbook -i inventory.yaml production/nest.yaml -e "github_workspace=$GITHUB_WORKSPACE" + working-directory: .github/ansible timeout-minutes: 5 deploy-production-nest-proxy: @@ -1091,8 +1091,8 @@ jobs: working-directory: .github/ansible - name: Run proxy deploy - working-directory: .github/ansible run: ansible-playbook -i inventory.yaml production/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE" + working-directory: .github/ansible timeout-minutes: 5 run-production-zap-baseline-scan: diff --git a/Makefile b/Makefile index 3afdd3611c..0527fabe30 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ include frontend/Makefile .PHONY: build clean check pre-commit prune run scan-images security-scan security-scan-code \ security-scan-code-semgrep security-scan-code-trivy security-scan-images \ security-scan-backend-image security-scan-frontend-image test update \ - clean-trivy-cache lint-ansible + clean-trivy-cache MAKEFLAGS += --no-print-directory From 8ddc926bd1205e4f726e6f8eba8f1b1221e69744 Mon Sep 17 00:00:00 2001 From: Arkadii Yakovets Date: Sun, 8 Feb 2026 20:14:01 -0800 Subject: [PATCH 12/12] Update .github/workflows/run-ci-cd.yaml --- .github/workflows/run-ci-cd.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml index d5af535c84..e90b5c8de1 100644 --- a/.github/workflows/run-ci-cd.yaml +++ b/.github/workflows/run-ci-cd.yaml @@ -52,6 +52,11 @@ jobs: restore-keys: | pre-commit-${{ runner.os }}- + - name: Install Ansible collections for ansible-lint + run: | + pip install ansible-core + ansible-galaxy collection install -r .github/ansible/requirements.yaml + - name: Run pre-commit uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd