ci: Add python unit tests

Signed-off-by: Sergei Petrosian <[email protected]>

Author: spetrosi

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+---
+name: CodeQL
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  merge_group:
+    branches:
+      - main
+    types:
+      - checks_requested
+  schedule:
+    - cron: 4 3 * * 2
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+    steps:
+      - name: Update pip, git
+        run: |
+          set -euxo pipefail
+          sudo apt update
+          sudo apt install -y git
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/python-unit-test.yml

@@ -0,0 +1,92 @@
+---
+# yamllint disable rule:line-length
+name: Python Unit Tests
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+  merge_group:
+    branches:
+      - main
+    types:
+      - checks_requested
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+permissions:
+  contents: read
+jobs:
+  python:
+    strategy:
+      matrix:
+        pyver_os:
+          - ver: "2.7"
+            os: ubuntu-20.04
+          - ver: "3.6"
+            os: ubuntu-20.04
+          - ver: "3.8"
+            os: ubuntu-latest
+          - ver: "3.9"
+            os: ubuntu-latest
+          - ver: "3.10"
+            os: ubuntu-latest
+          - ver: "3.11"
+            os: ubuntu-latest
+    runs-on: ${{ matrix.pyver_os.os }}
+    steps:
+      - name: Update git
+        run: |
+          set -euxo pipefail
+          sudo apt update
+          sudo apt install -y git
+
+      - name: checkout PR
+        uses: actions/checkout@v4
+
+      - name: Set up Python 2.7
+        if: ${{ matrix.pyver_os.ver == '2.7' }}
+        run: |
+          set -euxo pipefail
+          sudo apt install -y python2.7
+
+      - name: Set up Python 3
+        if: ${{ matrix.pyver_os.ver != '2.7' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.pyver_os.ver }}
+
+      - name: Install platform dependencies, python, tox, tox-lsr
+        run: |
+          set -euxo pipefail
+          python -m pip install --upgrade pip
+          if [ "${{ matrix.pyver_os.ver }}" = 2.7 ]; then
+            # newer virtualenv cannot create python2 venvs
+            # newer tox requires newer virtualenv
+            tox='tox<4.15'
+            virtualenv='virtualenv<20.22.0'
+          else
+            tox=tox
+            virtualenv=virtualenv
+          fi
+          pip install "$tox" "$virtualenv" "git+https://github.com/linux-system-roles/[email protected]"
+          # If you have additional OS dependency packages e.g. libcairo2-dev
+          # then put them in .github/config/ubuntu-requirements.txt, one
+          # package per line.
+          if [ -f .github/config/ubuntu-requirements.txt ]; then
+            sudo apt-get install -y $(cat .github/config/ubuntu-requirements.txt)
+          fi
+
+      - name: Run unit tests
+        run: |
+          set -euxo pipefail
+          toxpyver=$(echo "${{ matrix.pyver_os.ver }}" | tr -d .)
+          toxenvs="py${toxpyver}"
+          # NOTE: The use of flake8, pylint, black with specific
+          # python envs is arbitrary and must be changed in tox-lsr
+          case "$toxpyver" in
+          310) toxenvs="${toxenvs},coveralls,flake8,pylint,black" ;;
+          *) toxenvs="${toxenvs},coveralls" ;;
+          esac
+          TOXENV="$toxenvs" lsr_ci_runtox
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v4

.github/workflows/tft.yml

@@ -123,7 +123,7 @@ jobs:
           ${{ matrix.platform }}-${{ matrix.ansible_version }}_$DATETIME/artifacts"
           ARTIFACTS_TARGET_DIR=/srv/pub/alt/linuxsystemroles/logs
           ARTIFACTS_DIR=$ARTIFACTS_TARGET_DIR/$ARTIFACTS_DIR_NAME
-          ARTIFACTS_URL=https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs/$ARTIFACTS_DIR_NAME
+          ARTIFACTS_URL=https://dl.fedoraproject.org/pub/alt/linuxsystemroles/logs$ARTIFACTS_DIR_NAME
           echo "DATETIME=$DATETIME" >> $GITHUB_OUTPUT
           echo "ARTIFACTS_DIR=$ARTIFACTS_DIR" >> $GITHUB_OUTPUT
           echo "ARTIFACTS_URL=$ARTIFACTS_URL" >> $GITHUB_OUTPUT

README.md

@@ -455,4 +455,4 @@ See README-ostree.md
 MIT
 
 Based on [Ansible-sudoers](https://github.com/ahuffman/ansible-sudoers).
-[![ansible-lint.yml](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/sudo/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/sudo/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/sudo/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/sudo/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/sudo/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/ansible-test.yml) [![codeql.yml](https://github.com/linux-system-roles/sudo/actions/workflows/codeql.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/codeql.yml) [![markdownlint.yml](https://github.com/linux-system-roles/sudo/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/markdownlint.yml) [![python-unit-test.yml](https://github.com/linux-system-roles/sudo/actions/workflows/python-unit-test.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/python-unit-test.yml) [![shellcheck.yml](https://github.com/linux-system-roles/sudo/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/sudo/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/sudo/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/sudo/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/sudo/actions/workflows/woke.yml)

contributing.md

@@ -19,3 +19,34 @@ are likely to be suitable for new contributors!
 
 **Code** is managed on [Github](https://github.com/linux-system-roles/sudo), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
+
+## Python Code
+
+The Python code needs to be **compatible with the Python versions supported by
+the role platform**.
+
+For example, see [meta](https://github.com/linux-system-roles/sudo/blob/main/meta/main.yml)
+for the platforms supported by the role.
+
+If the role provides Ansible modules (code in `library/` or `module_utils/`) -
+these run on the *managed* node, and typically[1] use the default system python:
+
+* EL6 - python 2.6
+* EL7 - python 2.7 or python 3.6 in some cases
+* EL8 - python 3.6
+* EL9 - python 3.9
+
+If the role provides some other sort of Ansible plugin such as a filter, test,
+etc. - these run on the *control* node and typically use whatever version of
+python that Ansible uses, which in many cases is *not* the system python, and
+may be a modularity release such as python311.
+
+In general, it is a good idea to ensure the role python code works on all
+versions of python supported by `tox-lsr` from py36 on, and on py27 if the role
+supports EL7, and on py26 if the role supports EL6.[1]
+
+[1] Advanced users may set
+[ansible_python_interpreter](https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html#term-ansible_python_interpreter)
+to use a non-system python on the managed node, so it is a good idea to ensure
+your code has broad python version compatibility, and do not assume your code
+will only ever be run with the default system python.