ci: Use generalized action to test against different distributions

[spetrosi]

Enhancement: Use single GH action to test on container images

Reason: The fleet of GH actions testing against different container images was not maintainable.

Result: On this role side, all code is in one workflow file.

Issue Tracker Tickets (Jira or BZ if any): -

Forked from linux-system-roles#239

Summary by CodeRabbit

• New Features

  • Added support for Alpine Linux and Ubuntu 26 systems.
  • Added support for RefuseConnection and WarnWeakCrypto SSH configuration options.

• Chores

  • Consolidated separate OS-specific Ansible testing workflows into a unified multi-OS pipeline.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR consolidates Ansible CI testing into a single matrix-based workflow, adds support for two new SSH configuration options, and extends the role to support Alpine Linux and Ubuntu 26 with distribution-specific variables and test adaptations.

Changes

SSH Config Enhancements

Layer / File(s)	Summary
CI Workflow Consolidation .github/workflows/ansible-check.yml	Multiple per-OS workflows (CentOS, Debian, Fedora, Ubuntu) are replaced by a single "Ansible CI" workflow using a build matrix across Alpine, CentOS stream, Debian, Fedora, and Ubuntu variants.
New SSH Options: RefuseConnection and WarnWeakCrypto .dev-tools/options_body, templates/ssh_config.j2	Two new SSH options are added to the documentation reference and template, rendered across Match blocks, Host blocks, and body-level defaults using existing option rendering patterns.
Alpine Linux Support vars/Alpine.yml, tests/tasks/setup.yml, tests/tests_additional_packages.yml, tests/tests_all_options.yml, tests/tests_no_skip_defaults.yml	Alpine-specific variables define SSH package defaults and drop-in paths; test playbooks are adapted to handle Alpine package management, skip incompatible dependencies, parse manual pages consistently, and apply Alpine-specific test defaults.
Ubuntu 26 Support vars/Ubuntu_26.yml	Ubuntu 26 variables define SSH package defaults, enable drop-in configuration support, and specify default SSH Host settings.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format with 'ci:' type and clearly describes the main change—consolidating multiple workflows into a generalized action for testing distributions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description follows the required template with all sections completed: Enhancement, Reason, Result, and Issue Tracker Tickets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[spetrosi]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ansible-check.yml:
- Around line 31-35: The workflow currently references mutable tags/refs
(actions/checkout@v6 and Jakuje/check-ansible-action@main); replace those uses
entries with the exact commit SHAs resolved for the versions you want to lock
(e.g., actions/checkout@<commit-sha> and
Jakuje/check-ansible-action@<commit-sha>) so the CI cannot change
unexpectedly—locate the two uses lines for actions/checkout and
Jakuje/check-ansible-action in the ansible-check.yml and substitute the tag/ref
with the corresponding immutable commit SHAs.

In `@tests/tasks/setup.yml`:
- Around line 44-48: The bootstrap package selection includes Alpine in the
OS-family conditional but still references the package name openssh-client;
update the Alpine-specific branch so the resolver uses the Alpine-default
variable name openssh-client-default (or map openssh-client to
openssh-client-default for Alpine) to match vars/Alpine.yml; specifically adjust
the conditional that handles ansible_facts['distribution'] == 'Alpine' so the
chosen package string matches the declared variable openssh-client-default used
by the Alpine role.

In `@tests/tests_no_skip_defaults.yml`:
- Around line 16-17: Update the Alpine expectation in the test to match the
role's Alpine default: replace the literal "Include /etc/ssh/ssh_config.d/"
expectation with the globbed form "Include: /etc/ssh/ssh_config.d/*.conf" so it
aligns with the value defined in vars/Alpine.yml (ensure the test assertion that
checks the SSH config content uses the same "Include:
/etc/ssh/ssh_config.d/*.conf" string).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e1bd1e8e-c332-497c-a8f8-a006d22850d0

📥 Commits

Reviewing files that changed from the base of the PR and between a3dc448 and b33f761.

📒 Files selected for processing (13)

• .dev-tools/options_body
• .github/workflows/ansible-centos.yml
• .github/workflows/ansible-check.yml
• .github/workflows/ansible-debian.yml
• .github/workflows/ansible-fedora.yml
• .github/workflows/ansible-ubuntu.yml
• templates/ssh_config.j2
• tests/tasks/setup.yml
• tests/tests_additional_packages.yml
• tests/tests_all_options.yml
• tests/tests_no_skip_defaults.yml
• vars/Alpine.yml
• vars/Ubuntu_26.yml

💤 Files with no reviewable changes (4)

• .github/workflows/ansible-ubuntu.yml
• .github/workflows/ansible-debian.yml
• .github/workflows/ansible-centos.yml
• .github/workflows/ansible-fedora.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "actions/checkout v6 SHA:"
git ls-remote https://github.com/actions/checkout refs/tags/v6

echo
echo "Jakuje/check-ansible-action main SHA:"
git ls-remote https://github.com/Jakuje/check-ansible-action refs/heads/main

Repository: spetrosi/ssh

Length of output: 231

---

🏁 Script executed:

sed -n '31,35p' .github/workflows/ansible-check.yml

Repository: spetrosi/ssh

Length of output: 188

---

Pin GitHub Actions to immutable commit SHAs instead of moving refs.

uses: ...@v6 and uses: ...@main allow upstream changes to alter CI behavior without any PR in this repo. Pin both actions to their resolved commit SHAs:

🔒 Suggested fix

-      - name: Checkout code
-        uses: actions/checkout@v6
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

-      - name: Test Ansible SSH Role
-        uses: Jakuje/check-ansible-action@main
+      - name: Test Ansible SSH Role
+        uses: Jakuje/check-ansible-action@f64d87a5598747f49294b37d7302083afbc15c76

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v6
	- name: Test Ansible SSH Role
	uses: Jakuje/check-ansible-action@main
	with:
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
	- name: Test Ansible SSH Role
	uses: Jakuje/check-ansible-action@f64d87a5598747f49294b37d7302083afbc15c76
	with:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ansible-check.yml around lines 31 - 35, The workflow
currently references mutable tags/refs (actions/checkout@v6 and
Jakuje/check-ansible-action@main); replace those uses entries with the exact
commit SHAs resolved for the versions you want to lock (e.g.,
actions/checkout@<commit-sha> and Jakuje/check-ansible-action@<commit-sha>) so
the CI cannot change unexpectedly—locate the two uses lines for actions/checkout
and Jakuje/check-ansible-action in the ansible-check.yml and substitute the
tag/ref with the corresponding immutable commit SHAs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Align Alpine bootstrap package with the new Alpine role defaults.

Line 48 opts Alpine into the Alpine-specific path, but the bootstrap package resolver still falls through to openssh-client (Line 24) while this PR’s vars/Alpine.yml declares openssh-client-default. This mismatch can fail setup before role execution on Alpine.

Suggested fix

 - name: Make sure openssh is installed before creating backup
   vars:
     __ssh_test_packages: >-
       {{
         "openssh-clients" if ansible_facts['os_family'] in ['RedHat', 'Suse']
-        else "openssh-client"
+        else ("openssh-client-default"
+              if ansible_facts['distribution'] == 'Alpine'
+              else "openssh-client")
       }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tasks/setup.yml` around lines 44 - 48, The bootstrap package selection
includes Alpine in the OS-family conditional but still references the package
name openssh-client; update the Alpine-specific branch so the resolver uses the
Alpine-default variable name openssh-client-default (or map openssh-client to
openssh-client-default for Alpine) to match vars/Alpine.yml; specifically adjust
the conditional that handles ansible_facts['distribution'] == 'Alpine' so the
chosen package string matches the declared variable openssh-client-default used
by the Alpine role.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix Alpine expectation to match the role’s Alpine defaults.

Line 17 expects Include /etc/ssh/ssh_config.d/, but this PR’s vars/Alpine.yml sets Include: /etc/ssh/ssh_config.d/*.conf. Keep these aligned to avoid false failures in the assertion.

Suggested fix

       {% elif ansible_facts['os_family'] == 'Alpine' %}
-        Include /etc/ssh/ssh_config.d/
+        Include /etc/ssh/ssh_config.d/*.conf

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{% elif ansible_facts['os_family'] == 'Alpine' %}
	Include /etc/ssh/ssh_config.d/
	{% elif ansible_facts['os_family'] == 'Alpine' %}
	Include /etc/ssh/ssh_config.d/*.conf

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_no_skip_defaults.yml` around lines 16 - 17, Update the Alpine
expectation in the test to match the role's Alpine default: replace the literal
"Include /etc/ssh/ssh_config.d/" expectation with the globbed form "Include:
/etc/ssh/ssh_config.d/*.conf" so it aligns with the value defined in
vars/Alpine.yml (ensure the test assertion that checks the SSH config content
uses the same "Include: /etc/ssh/ssh_config.d/*.conf" string).