fix/improve-ci-and-resources-used (jdaln#16)

CI improvments: * removed main branch CI because it is not used. Branch PR tests are currently enough. * removed cache apt step due to erroring and general complexity / unstability. * add linting and remove unused linting elements. * only run the linting related tasks on linting PRs to save resources.
HBPMedical · Jul 19, 2024 · 117098b · 117098b
1 parent e5f0a78
commit 117098b
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 157 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -4,5 +4,6 @@ exclude_paths:
   - .git/
   - .github/
   - .pre-commit-config.yaml
+  - testing/test-new-version-hardening.yml
 warn_list:
   - var-naming[no-role-prefix]
diff --git a/.github/workflows/ci-vagrant-playbook-test.yml b/.github/workflows/ci-vagrant-playbook-test.yml
diff --git a/.github/workflows/deps-new-version-test.yml b/.github/workflows/deps-new-version-test.yml
@@ -6,7 +6,7 @@ on:
       - main 
 jobs:
   vagrant-test-new-deps-version:
-    if: startsWith(github.head_ref, 'renovate/') # Checks if the source branch starts with "renovate/"
+    if: (!contains(github.event.pull_request.title, 'dependency ansible-lint')) # Checks the merge request except on some specific deps update
     runs-on: ubuntu-22.04
     env:
       VAGRANT_DIR: ~/.vagrant.d/boxes
@@ -27,17 +27,6 @@ jobs:
           vagrant plugin install vagrant-vbguest
           vagrant plugin install vagrant-disksize
 
-      - name: Cache apt packages
-        uses: actions/cache@v4
-        with:
-          path: |
-            /var/cache/apt/archives
-            /var/lib/apt/lists
-          key: ${{ runner.os }}-apt-${{ hashFiles('**/Dockerfile') }}
-          restore-keys: |
-            ${{ runner.os }}-apt-
-        # Caches the downloaded apt packages to save time and bandwidth on subsequent runs
-
       - name: Install requirements for Python and Ansible
         run: |
           pip install -r requirements.txt
@@ -91,7 +80,7 @@ jobs:
   update-version-in-playbook:
     needs: vagrant-test-new-deps-version  # This job runs after vagrant-test-new-deps-version succeeds
     runs-on: ubuntu-latest
-    if: success() && contains(github.event.pull_request.title, 'konstruktoid.hardening')
+    if: success() && contains(github.event.pull_request.title, 'dependency konstruktoid.hardening')
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,18 @@
+on: [push, pull_request]
+name: Ansible Lint
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@eb92667e07cc18e1d115ff02e5f07126310cec11 # main
diff --git a/README.md b/README.md
@@ -1,17 +1,26 @@
-# deb-server-management
-Server management playbooks
+# linux-server-management
+Server management playbooks for Debian/Ubuntu based Linux.
 
 ### Pre-requisites
+
 Pre-requisite commands depends on your OS.
+Install the software needed to launch this and its automated testing scripts:
+
+#### Debian-based Linux
+```
+sudo apt update
+sudo apt install virtualbox vagrant python3-pip
+```
 
 #### Mac OS
-Then, install the software needed to launch this and its automatic testing:
 ```
-brew install vagrant
+brew install python
+python3 -m ensurepip --upgrade
 brew install --cask virtualbox
+brew install vagrant
 ```
 
-### Before running anything from this repository
+### Before running anything
 Before running anything from this repository, install the following (after the Pre-requisites specific to your OS)
 ```
 pip install -r requirements.txt

diff --git a/action-lint/Dockerfile b/action-lint/Dockerfile
diff --git a/action-lint/entrypoint.sh b/action-lint/entrypoint.sh
diff --git a/setup-playbook.yml b/setup-playbook.yml
@@ -39,6 +39,7 @@
       ansible.builtin.include_role:
         name: konstruktoid.hardening
       vars:
+        # noqa: var-naming[no-role-prefix]
         auditd_action_mail_acct: "{{ AUDITD_ACTION_MAIL_ACCT }}"
         manage_ufw: "{{ MANAGE_UFW }}"
         ufw_outgoing_traffic: "{{ UFW_OUTGOING_TRAFFIC }}"

diff --git a/testing/vars.yml b/testing/vars.yml
@@ -1,4 +1,4 @@
-# This file is not automatically injected during the testing. 
+# This file is not automatically injected during the testing.
 # You must add vars_files:
 #    - vars.yml
 # in testing/being_tested.yml for it to be considered.