Skip to content

Feat/gha #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thfx31 merged 5 commits into from
Oct 25, 2025
Merged

Feat/gha #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7d1d0b7
Add Github Actions lint workflow
thfx31 Oct 18, 2025
3e59cf4
test hook
thfx31 Oct 18, 2025
dc11688
fix lint workflow
thfx31 Oct 18, 2025
07fac13
fix variables
thfx31 Oct 19, 2025
71f6601
fix registers roles forge + trivy
thfx31 Oct 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Lint Ansible & YAML

on:
push:
branches:
- "feature/github-actions"
pull_request:
branches:
- main

jobs:
lint:
name: Lint codebase
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.13"

- name: Cache pip
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-

- name: Install linting tools
run: |
python -m pip install --upgrade pip
pip install ansible ansible-lint yamllint

- name: Run Ansible Lint
working-directory: ansible
run: ansible-lint .
22 changes: 18 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@
# ==========================================================

# Set variables
VENV_DIR := $(HOME)/.venvs/ansible
VENV_DIR := $(HOME)/.virtualenvs/ansible
REQUIREMENTS := ansible/requirements.txt
DOCKER_BUILD_SCRIPT := ./build_and_push_private.sh
DOCKER_CLEAN_SCRIPT := ./cleanup_docker.sh
PRECOMMIT_CONFIG := ansible/.pre-commit-config.yaml


.PHONY: help venv init upgrade build cleanup
.PHONY: help venv init upgrade build cleanup lint

# ----------------------------------------------------------
# Help commands
Expand All @@ -33,8 +34,16 @@ venv:
@echo "✅ Virtualenv created at $(VENV_DIR)"

init: venv
@. $(VENV_DIR)/bin/activate && pip install --upgrade pip && pip install -r $(REQUIREMENTS)
@echo "✅ Dependencies installed in $(VENV_DIR)"
@echo "📦 Installing dependencies and pre-commit hooks..."
@$(VENV_DIR)/bin/pip install --upgrade pip
@$(VENV_DIR)/bin/pip install -r $(REQUIREMENTS)
@if [ -x "$(VENV_DIR)/bin/pre-commit" ]; then \
echo "⚙️ Installing pre-commit hook (config: $(PRECOMMIT_CONFIG))..."; \
$(VENV_DIR)/bin/pre-commit install --config $(PRECOMMIT_CONFIG); \
else \
echo "⚠️ pre-commit not found (check requirements.txt)"; \
fi
@echo "✅ Environment initialized in $(VENV_DIR)"

upgrade:
@echo "⬆️ Mise à jour du venv et de tous les paquets..."
Expand All @@ -48,6 +57,11 @@ build:
@chmod +x $(DOCKER_BUILD_SCRIPT)
@$(DOCKER_BUILD_SCRIPT)

lint:
@echo "🔍 Running Ansible and YAML linters..."
~/.venvs/ansible/bin/ansible-lint ansible/
~/.venvs/ansible/bin/yamllint .

cleanup:
@echo "Cleaning up Docker resources..."
@chmod +x $(DOCKER_CLEAN_SCRIPT)
Expand Down
10 changes: 10 additions & 0 deletions ansible/.ansible-lint
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
skip_list:
- command-instead-of-module
- risky-shell-pipe
- package-latest
- var-naming
- ignore-errors
warn_list:
- jinja
- yaml
9 changes: 9 additions & 0 deletions ansible/.pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
repos:
- repo: https://github.com/ansible/ansible-lint
rev: v25.9.2
hooks:
- id: ansible-lint
name: Ansible Lint
args: [--force-color, ansible/]
files: ^ansible/
9 changes: 5 additions & 4 deletions ansible/forge-cicd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
---
- hosts: all

- name: Forge CI/CD Deployment
hosts: all

# Only if you want to be prompted for Docker Hub credentials
vars_prompt:
- name: "docker_hub_user"
prompt: "Docker Hub username"
private: no
private: false
- name: "docker_hub_token"
prompt: "Docker Hub Token"
private: yes
private: true

roles:
- postinstall
Expand Down
1 change: 1 addition & 0 deletions ansible/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ansible-lint
paramiko
jinja2
cryptography
pre-commit

# #######
# dev tools
Expand Down
4 changes: 4 additions & 0 deletions ansible/requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
collections:
- name: community.docker
version: ">=4.8.1"
4 changes: 2 additions & 2 deletions ansible/roles/docker/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
# Docker vars
docker_ansible_user: "root"
docker_ansible_user: root

docker_group: "docker"
docker_group: docker

docker_ubuntu_repo: "https://download.docker.com/linux/ubuntu"

Expand Down
14 changes: 7 additions & 7 deletions ansible/roles/docker/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
- name: Add Docker GPG key
ansible.builtin.shell: |
curl -fsSL {{ docker_gpg_url }} | sudo tee /etc/apt/trusted.gpg.d/docker.asc
args:
creates: /etc/apt/trusted.gpg.d/docker.asc
ansible.builtin.get_url:
url: "{{ docker_gpg_url }}"
dest: /etc/apt/trusted.gpg.d/docker.asc
mode: "0644"

- name: Add Docker repository
ansible.builtin.apt_repository:
Expand All @@ -13,7 +13,7 @@

- name: Update repository
ansible.builtin.apt:
update_cache: yes
update_cache: true

- name: Install docker
ansible.builtin.apt:
Expand All @@ -24,10 +24,10 @@
ansible.builtin.systemd:
name: docker
state: started
enabled: yes
enabled: true

- name: Add user to docker group
ansible.builtin.user:
name: "{{ ansible_user }}"
groups: "{{ docker_group }}"
append: yes
append: true
3 changes: 2 additions & 1 deletion ansible/roles/forge_cicd/meta/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
---
galaxy_info:
author: Thomas Fx
description: Deploy CI/CD Forge
license: MIT
min_ansible_version: "2.1"
galaxy_tags: []
dependencies: []
dependencies: []
20 changes: 12 additions & 8 deletions ansible/roles/forge_cicd/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,23 @@
owner: root
group: root
state: directory
mode: '0755'

- name: Copy Docker Compose
ansible.builtin.copy:
src: ../docker-compose.yml
dest: "{{ forge_cicd_docker_path }}/docker-compose.yml"
register: compose_copy
owner: root
group: root
mode: "0644"
register: forge_cicd_compose_copy

- name: Copy environment file
ansible.builtin.copy:
src: .env
dest: "{{ forge_cicd_docker_path }}/.env"
mode: "600"
register: env_copy
register: forge_cicd_env_copy

# Only if prompted for Docker Hub credentials and need custom images
- name: Connect to Docker Hub
Expand All @@ -31,23 +35,23 @@
state: present
pull: always
recreate: always
when: compose_copy.changed or env_copy.changed
when: forge_cicd_compose_copy.changed or forge_cicd_env_copy.changed

- name: Check containers status
ansible.builtin.command: docker ps --format '{% raw %}{{.Names}}{% endraw %}'
register: running_containers
register: forge_cicd_running_containers
changed_when: false

- name: Print running containers
ansible.builtin.debug:
msg: "{{ item }} is running"
loop: "{{ running_containers.stdout_lines }}"
when: running_containers.stdout_lines is defined and running_containers.stdout_lines | length > 0
msg: "{{ item }} is running"
loop: "{{ forge_cicd_running_containers.stdout_lines }}"
when: forge_cicd_running_containers.stdout_lines is defined and forge_cicd_running_containers.stdout_lines | length > 0

- name: Status summary
ansible.builtin.debug:
msg: >-
{% if compose_copy.changed or env_copy.changed %}
{% if forge_cicd_compose_copy.changed or forge_cicd_env_copy.changed %}
Configuration files modified. Docker Compose has been redeployed.
{% else %}
No changes detected on 'docker-compose.yml' or '.env'. Deployment unchanged.
Expand Down
18 changes: 9 additions & 9 deletions ansible/roles/postinstall/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# PostInstall role vars
postinstall_extra_packages_ubuntu:
- apt-transport-https
- ca-certificates
- curl
- git
- rsyslog
- software-properties-common
- tree
- vim
- wget
- apt-transport-https
- ca-certificates
- curl
- git
- rsyslog
- software-properties-common
- tree
- vim
- wget
10 changes: 6 additions & 4 deletions ansible/roles/postinstall/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
---
- name: Update package index
ansible.builtin.apt:
update_cache: true

- name: Upgrade all packages
ansible.builtin.package:
name: "*"
update_cache: yes
state: latest
ansible.builtin.apt:
upgrade: dist

- name: Install Ubuntu packages
ansible.builtin.apt:
Expand Down
12 changes: 6 additions & 6 deletions ansible/roles/trivy/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
---
forge_cicd_docker_path: /opt/docker/forge
trivy_forge_cicd_docker_path: /opt/docker/forge

# PostInstall role vars
trivy_requirements_packages:
- apt-transport-https
- gnupg
- gnupg2
- lsb-release
- wget
- apt-transport-https
- gnupg
- gnupg2
- lsb-release
- wget
2 changes: 1 addition & 1 deletion ansible/roles/trivy/meta/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ galaxy_info:

galaxy_tags: []

dependencies: []
dependencies: []
21 changes: 11 additions & 10 deletions ansible/roles/trivy/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
ansible.builtin.apt:
name: "{{ trivy_requirements_packages }}"
state: present
update_cache: yes
update_cache: true
when: trivy_check.rc != 0

- name: Add GPG key
Expand All @@ -26,35 +26,36 @@
- name: Install Trivy
ansible.builtin.apt:
name: trivy
state: latest
state: present
update_cache: true

- name: Create reports directory
ansible.builtin.file:
path: "{{ forge_cicd_docker_path }}/reports"
path: "{{ trivy_forge_cicd_docker_path }}/reports"
state: directory
mode: "0755"

- name: List Docker images
ansible.builtin.command:
cmd: docker compose images --format json
chdir: "{{ forge_cicd_docker_path }}"
register: docker_images
chdir: "{{ trivy_forge_cicd_docker_path }}"
register: trivy_docker_images
changed_when: false

- name: Scan Docker images with Trivy
ansible.builtin.command: >
trivy image --quiet --format template
--template "@/usr/local/share/trivy/templates/html.tpl"
--output {{ forge_cicd_docker_path }}/reports/{{ item.Repository | replace('/', '_') }}_{{ item.Tag }}.html
--output {{ trivy_forge_cicd_docker_path }}/reports/{{ item.Repository | replace('/', '_') }}_{{ item.Tag }}.html
{{ item.Repository }}:{{ item.Tag }}
loop: "{{ docker_images.stdout | from_json }}"
loop: "{{ trivy_docker_images.stdout | from_json }}"
register: trivy_scan
changed_when: false
ignore_errors: true
failed_when: trivy_scan.rc not in [0, 1]

- name: Find Trivy reports
ansible.builtin.find:
paths: "{{ forge_cicd_docker_path }}/reports"
paths: "{{ trivy_forge_cicd_docker_path }}/reports"
patterns: "*.html"
recurse: false
register: trivy_reports_to_fetch
Expand All @@ -67,7 +68,7 @@
ansible.builtin.fetch:
src: "{{ item.path }}"
dest: ../reports/
flat: yes
flat: true
loop: "{{ trivy_reports_to_fetch.files }}"
loop_control:
label: "{{ item.path | basename }}"