Enable linting (#732)

* Add Github Actions for running code linters

* Fix linting issues.

The super-linter.env currently has the following additions that are to be addressed in the future:
VALIDATE_GITHUB_ACTIONS=false
VALIDATE_SHELL_SHFMT=false
VALIDATE_YAML=false

Most of the linting for the above has been addressed with just a single issue remaining that blocks the linter from being enabled.

* Update GH workflow so linting always runs befor any other jobs

* Update GH workflow so linting always runs befor any other jobs

* Fix linting issues on the merge of origin/main

* Fix linting issues on the merge of origin/main

* Use the head ref for workflow concurrency

* Output the path filter result of the workflow

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Tweak github action used to detect changed paths on push/pull request

* Troubleshooting: ansible.builtin.user

* Troubleshooting: debugging temporarily added

* Shift pylint invalid-name linting behond python bang line

* Temporarily disable the ansible galaxy requirements validation

* Reverting changes made to ansible.builtin.user and ansible.builtin.group where the name parameter was added.
Reverting to ansible.builtin.group: <args>

becasue args aren't an expected label:

groupadd: '{'name': 'grafana', 'gid': 979}' is not a valid group name

* Arguments are dicts not labels

* Preserve file permissions on .ssh directory contents

* Wherever we use become_user set become: true, keeps the linter happy and maintains functionality

* Fix linting on merge of origin/main

* Fix linting on merge of origin/main

* Update cluster image - using fatimage built from ci/linting branch

* Add comments to workflow files detailing the CI workflow and enable these workflows

* Fix workflow execution:
 1. change trivvy to trivy
 2. extra, stackhpc, and trivyscan workflows should trigger on workflow_call and workflow_dispatch

* Fix linting issues from merge of origin/main

* Exclude 'ansible/roles/compute_init/files/compute-init.yml' from ansible lint.
The parser can't load the 'tasks/tuned.yml' ansible so fails with:

load-failure[filenotfounderror]: [Errno 2] No such file or directory: 'ansible-slurm-appliance/tasks/main.yml'
tasks/main.yml:1

This failure can't be skipped beause it's the output of the parser that's fed to the linter where such exceptions are made.

* Temporarily disable Rocky 8 to speed up testing and reduce CI resources
Temporarily disable ansible-lint:

Run ansible/[email protected]
Run if [[ -n "" ]]; then
Run action_ref="${GH_ACTION_REF_INPUT:-${GITHUB_ACTION_REF:-main}}"
Using ansible-lint ref: main
Run reqs_file=$(git rev-parse --show-toplevel)/.git/ansible-lint-requirements.txt
--2025-09-09 14:51:58--  https://raw.githubusercontent.com/ansible/ansible-lint/main/.config/requirements-lock.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2025-09-09 14:51:58 ERROR 404: Not Found.

* Fix some bad ansible-lint line-length markup

* Fix ansible-lint markup for line-length

* Bump CI image - FOR RL9 ONLY TO CONSERVE CI RESOURCES

* Revert ansible.builtin.command to ansible.builtin.shell due to missed comment "need login shell for module command" and mask ansible-lint error

* Disable extra-build.yml workflow which has previously passed so we can focus on the stackhpc.yml workflow

* Disable concurrency to see if this is killing stackhpc.yml

* Remove concurrency from extr.yml, stackhpc.yml, and trivyscan.yml as they're all being triggered from main.yml which has its own concurrency check - the trivscan concurrency was also killing stackhpc

* Enable ansible-lint

* Enable triggering of all workflows from the main CI workflow

* Bump CI image - FOR RL9 ONLY TO CONSERVE CI RESOURCES

* Fix bad ansible-lint markup affecting the bang line

* Reduce workflow CI resources whilst fixing test deploy and reimage workflow

* Bump CI image - FOR RL9 ONLY TO CONSERVE CI RESOURCES

* Enable Rocky Linux 8 - disabled to speed up testing

* Enable all CI workflows

* Bump CI image - FOR RL9 ONLY TO CONSERVE CI RESOURCES

* Remove empty line between ansible "when" and "block" added by ansible-lint --fix, it's not required by the linter.

* Enable check for ansible galaxy requirements

* Revert the ansible collections path to ansible/collections so we don't inadvertently break any existing checkouts.
Direct ansible-lint to use .ansible/collections so downloads are excluded from linting by our .ansible-lint.yml

* Bump CI image

Author: maxstack

.ansible-lint.yml

@@ -0,0 +1,24 @@
+---
+skip_list:
+  - role-name
+  # Unresolved issues with parsing jinja in multiline strings
+  # https://github.com/ansible/ansible-lint/issues/3935
+  - jinja[spacing]
+  - galaxy[no-changelog]
+  - meta-runtime[unsupported-version]
+
+warn_list:
+  - name[missing]
+  - name[play]
+  - var-naming
+
+exclude_paths:
+  - actionlint.yml
+  - .ansible/
+  - .github/
+  # Rule 'syntax-check' is unskippable, you cannot use it in 'skip_list' or 'warn_list'.
+  # It breaks the parser which takes place before the linter, the only option is to exclude the file.
+  - ansible/roles/filebeat/tasks/runtime.yml
+  - environments/common/files/filebeat/filebeat.yml
+  # Rule 'load-failure[filenotfounderror]' is also unskippable
+  - ansible/roles/compute_init/files/compute-init.yml

.checkov.yaml

@@ -0,0 +1,4 @@
+---
+skip-check:
+  # Requires all blocks to have rescue: - not considered appropriate
+  - CKV2_ANSIBLE_3

.editorconfig

@@ -0,0 +1,8 @@
+# The is primarily used to alter the behaviour of linters executed by super-linter.
+# See https://editorconfig.org/
+
+# shfmt will default to indenting shell scripts with tabs,
+# define the indent as 2 spaces
+[{.github/bin,dev}/*.sh]
+indent_style = space
+indent_size = 2

.github/bin/create-merge-branch.sh

@@ -44,7 +44,7 @@ if git show-branch "remotes/origin/$BRANCH_NAME" >/dev/null 2>&1; then
 fi
 
 echo "[INFO] Merging release tag - $RELEASE_TAG"
-git merge --strategy recursive -X theirs --no-commit $RELEASE_TAG
+git merge --strategy recursive -X theirs --no-commit "$RELEASE_TAG"
 
 # Check if the merge resulted in any changes being staged
 if [ -n "$(git status --short)" ]; then
@@ -54,7 +54,7 @@ if [ -n "$(git status --short)" ]; then
   # NOTE(scott): The GitHub create-pull-request action does
   # the commiting for us, so we only need to make branches
   # and commits if running outside of GitHub actions.
-  if [ ! $GITHUB_ACTIONS ]; then
+  if [ ! "$GITHUB_ACTIONS" ]; then
     echo "[INFO] Checking out temporary branch '$BRANCH_NAME'..."
     git checkout -b "$BRANCH_NAME"
 
@@ -74,8 +74,8 @@ if [ -n "$(git status --short)" ]; then
 
   # Write a file containing the branch name and tag
   # for automatic PR or MR creation that follows
-  echo "BRANCH_NAME=\"$BRANCH_NAME\"" > .mergeenv
-  echo "RELEASE_TAG=\"$RELEASE_TAG\"" >> .mergeenv
+  echo "BRANCH_NAME=\"$BRANCH_NAME\"" >.mergeenv
+  echo "RELEASE_TAG=\"$RELEASE_TAG\"" >>.mergeenv
 else
   echo "[INFO] Merge resulted in no changes"
-fi
+fi

.github/bin/get-s3-image.sh

@@ -13,14 +13,14 @@ echo "Checking if image $image_name exists in OpenStack"
 image_exists=$(openstack image list --name "$image_name" -f value -c Name)
 
 if [ -n "$image_exists" ]; then
-    echo "Image $image_name already exists in OpenStack."
+  echo "Image $image_name already exists in OpenStack."
 else
-    echo "Image $image_name not found in OpenStack. Getting it from S3."
+  echo "Image $image_name not found in OpenStack. Getting it from S3."
 
-    wget https://leafcloud.store/swift/v1/AUTH_f39848421b2747148400ad8eeae8d536/$bucket_name/$image_name --progress=dot:giga
+  wget "https://leafcloud.store/swift/v1/AUTH_f39848421b2747148400ad8eeae8d536/$bucket_name/$image_name" --progress=dot:giga
 
-    echo "Uploading image $image_name to OpenStack..."
-    openstack image create --file $image_name --disk-format qcow2 $image_name --progress
+  echo "Uploading image $image_name to OpenStack..."
+  openstack image create --file "$image_name" --disk-format qcow2 "$image_name" --progress
 
-    echo "Image $image_name has been uploaded to OpenStack."
-fi
+  echo "Image $image_name has been uploaded to OpenStack."
+fi

.github/linters/.checkov.yaml

@@ -0,0 +1 @@
+../../.checkov.yaml

.github/linters/.python-lint

@@ -0,0 +1 @@
+../../.python-lint

.github/linters/.shellcheckrc

@@ -0,0 +1 @@
+../../.shellcheckrc

.github/linters/.yamllint.yml

@@ -0,0 +1 @@
+../../.yamllint.yml

.github/linters/actionlint.yml

@@ -0,0 +1 @@
+../../actionlint.yml