From b33f761eebde56b72bd97612749c3aab0c869885 Mon Sep 17 00:00:00 2001 From: Sergei Petrosian Date: Fri, 15 May 2026 14:25:02 +0200 Subject: [PATCH] ci: Use generalized action to test against different distributions Enhancement: Use single GH action to test on container images Reason: The fleet of GH actions testing against different container images was not maintainable. Result: On this role side, all code is in one workflow file. Issue Tracker Tickets (Jira or BZ if any): - Co-Authored-By: Claude Sonnet 4.5 --- .dev-tools/options_body | 2 + .github/workflows/ansible-centos.yml | 71 ---------------------------- .github/workflows/ansible-check.yml | 39 +++++++++++++++ .github/workflows/ansible-debian.yml | 38 --------------- .github/workflows/ansible-fedora.yml | 22 --------- .github/workflows/ansible-ubuntu.yml | 38 --------------- templates/ssh_config.j2 | 6 +++ tests/tasks/setup.yml | 3 +- tests/tests_additional_packages.yml | 2 + tests/tests_all_options.yml | 14 ++++++ tests/tests_no_skip_defaults.yml | 2 + vars/Alpine.yml | 9 ++++ vars/Ubuntu_26.yml | 15 ++++++ 13 files changed, 91 insertions(+), 170 deletions(-) delete mode 100644 .github/workflows/ansible-centos.yml create mode 100644 .github/workflows/ansible-check.yml delete mode 100644 .github/workflows/ansible-debian.yml delete mode 100644 .github/workflows/ansible-fedora.yml delete mode 100644 .github/workflows/ansible-ubuntu.yml create mode 100644 vars/Alpine.yml create mode 100644 vars/Ubuntu_26.yml diff --git a/.dev-tools/options_body b/.dev-tools/options_body index 533f2281..b763eca4 100644 --- a/.dev-tools/options_body +++ b/.dev-tools/options_body @@ -83,6 +83,7 @@ ProxyUseFdpass PubkeyAcceptedKeyTypes PubkeyAcceptedAlgorithms PubkeyAuthentication +RefuseConnection RekeyLimit RemoteCommand RemoteForward @@ -113,4 +114,5 @@ UserKnownHostsFile VerifyHostKeyDNS VersionAddendum VisualHostKey +WarnWeakCrypto XAuthLocation diff --git a/.github/workflows/ansible-centos.yml b/.github/workflows/ansible-centos.yml deleted file mode 100644 index fa9abaf3..00000000 --- a/.github/workflows/ansible-centos.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- -name: Run Ansible Check on CentOS - -on: [push, pull_request] - -jobs: - centos-7: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - run: "sed -i -e 's/ansible.posix.//g' */*.yml */*/*.yml" - - - name: ansible check with centos 7 - uses: roles-ansible/check-ansible-centos-centos7-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" - - centos-8: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with centos 8 - uses: roles-ansible/check-ansible-centos-centos8-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" - - centos-9: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with centos 9 - uses: roles-ansible/check-ansible-centos-centos9-action@main - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" - - centos-10: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with centos 10 - uses: roles-ansible/check-ansible-centos-centos10-action@main - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" diff --git a/.github/workflows/ansible-check.yml b/.github/workflows/ansible-check.yml new file mode 100644 index 00000000..767e00c8 --- /dev/null +++ b/.github/workflows/ansible-check.yml @@ -0,0 +1,39 @@ +name: Ansible CI +on: [push, pull_request] + +env: + ANSIBLE_INJECT_FACT_VARS: "false" + +jobs: + test: + if: | + !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || + (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + os_image: + - alpine:latest + - quay.io/centos/centos:stream8 + - quay.io/centos/centos:stream9 + - quay.io/centos/centos:stream10 + - debian:bullseye + - debian:bookworm + - debian:latest + - fedora:latest + - ubuntu:22.04 + - ubuntu:24.04 + - ubuntu:latest + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Test Ansible SSH Role + uses: Jakuje/check-ansible-action@main + with: + image: ${{ matrix.os_image }} + group: local + hosts: localhost + targets: "tests/tests_*.yml" diff --git a/.github/workflows/ansible-debian.yml b/.github/workflows/ansible-debian.yml deleted file mode 100644 index 7eff9863..00000000 --- a/.github/workflows/ansible-debian.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Run tests on Debian - -on: # yamllint disable-line rule:truthy - - push - - pull_request - -jobs: - debian-bullseye: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with debian bullseye (11) - uses: roles-ansible/check-ansible-debian-bullseye-action@main - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" - - debian-buster: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with debian buster (10) - uses: roles-ansible/check-ansible-debian-buster-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" diff --git a/.github/workflows/ansible-fedora.yml b/.github/workflows/ansible-fedora.yml deleted file mode 100644 index 2fccb2db..00000000 --- a/.github/workflows/ansible-fedora.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Run tests on Fedora latest - -on: [push, pull_request] - -jobs: - build: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with fedora:latest - uses: roles-ansible/check-ansible-fedora-latest-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" diff --git a/.github/workflows/ansible-ubuntu.yml b/.github/workflows/ansible-ubuntu.yml deleted file mode 100644 index 7a69dadc..00000000 --- a/.github/workflows/ansible-ubuntu.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Run tests on Ubuntu - -on: # yamllint disable-line rule:truthy - - push - - pull_request - -jobs: - ubuntu-latest: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with ubuntu:latest - uses: roles-ansible/check-ansible-ubuntu-latest-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" - - ubuntu-20: - if: | - !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) || - (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]'))) - runs-on: ubuntu-latest - steps: - - name: checkout PR - uses: actions/checkout@v6 - - - name: ansible check with ubuntu:20 (focal) - uses: roles-ansible/check-ansible-ubuntu-focal-action@master - with: - group: local - hosts: localhost - targets: "tests/tests_*.yml" diff --git a/templates/ssh_config.j2 b/templates/ssh_config.j2 index 8d560d8e..97fad725 100644 --- a/templates/ssh_config.j2 +++ b/templates/ssh_config.j2 @@ -128,6 +128,7 @@ Match {{ match["Condition"] }} {{ render_option("PubkeyAcceptedKeyTypes", match["PubkeyAcceptedKeyTypes"], true) -}} {{ render_option("PubkeyAcceptedAlgorithms", match["PubkeyAcceptedAlgorithms"], true) -}} {{ render_option("PubkeyAuthentication", match["PubkeyAuthentication"], true) -}} +{{ render_option("RefuseConnection", match["RefuseConnection"], true) -}} {{ render_option("RekeyLimit", match["RekeyLimit"], true) -}} {{ render_option("RemoteCommand", match["RemoteCommand"], true) -}} {{ render_option("RemoteForward", match["RemoteForward"], true) -}} @@ -158,6 +159,7 @@ Match {{ match["Condition"] }} {{ render_option("VerifyHostKeyDNS", match["VerifyHostKeyDNS"], true) -}} {{ render_option("VersionAddendum", match["VersionAddendum"], true) -}} {{ render_option("VisualHostKey", match["VisualHostKey"], true) -}} +{{ render_option("WarnWeakCrypto", match["WarnWeakCrypto"], true) -}} {{ render_option("XAuthLocation", match["XAuthLocation"], true) -}} {% endfor %} {% endif %} @@ -254,6 +256,7 @@ Host {{ host["Condition"] }} {{ render_option("PubkeyAcceptedKeyTypes", host["PubkeyAcceptedKeyTypes"], true) -}} {{ render_option("PubkeyAcceptedAlgorithms", host["PubkeyAcceptedAlgorithms"], true) -}} {{ render_option("PubkeyAuthentication", host["PubkeyAuthentication"], true) -}} +{{ render_option("RefuseConnection", host["RefuseConnection"], true) -}} {{ render_option("RekeyLimit", host["RekeyLimit"], true) -}} {{ render_option("RemoteCommand", host["RemoteCommand"], true) -}} {{ render_option("RemoteForward", host["RemoteForward"], true) -}} @@ -284,6 +287,7 @@ Host {{ host["Condition"] }} {{ render_option("VerifyHostKeyDNS", host["VerifyHostKeyDNS"], true) -}} {{ render_option("VersionAddendum", host["VersionAddendum"], true) -}} {{ render_option("VisualHostKey", host["VisualHostKey"], true) -}} +{{ render_option("WarnWeakCrypto", host["WarnWeakCrypto"], true) -}} {{ render_option("XAuthLocation", host["XAuthLocation"], true) -}} {% endfor %} {% endif %} @@ -373,6 +377,7 @@ Host {{ host["Condition"] }} {{ body_option("PubkeyAcceptedKeyTypes", ssh_PubkeyAcceptedKeyTypes) -}} {{ body_option("PubkeyAcceptedAlgorithms", ssh_PubkeyAcceptedAlgorithms) -}} {{ body_option("PubkeyAuthentication", ssh_PubkeyAuthentication) -}} +{{ body_option("RefuseConnection", ssh_RefuseConnection) -}} {{ body_option("RekeyLimit", ssh_RekeyLimit) -}} {{ body_option("RemoteCommand", ssh_RemoteCommand) -}} {{ body_option("RemoteForward", ssh_RemoteForward) -}} @@ -403,6 +408,7 @@ Host {{ host["Condition"] }} {{ body_option("VerifyHostKeyDNS", ssh_VerifyHostKeyDNS) -}} {{ body_option("VersionAddendum", ssh_VersionAddendum) -}} {{ body_option("VisualHostKey", ssh_VisualHostKey) -}} +{{ body_option("WarnWeakCrypto", ssh_WarnWeakCrypto) -}} {{ body_option("XAuthLocation", ssh_XAuthLocation) -}} {% if ssh['Match'] is defined %} {{ match_block(ssh['Match']) -}} diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index 50140dff..aec3f4fe 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -44,4 +44,5 @@ - (ansible_facts['os_family'] in ['RedHat', 'Suse'] and ansible_facts['distribution_major_version'] | int >= 8) or (ansible_facts['distribution'] == 'Ubuntu' - and ansible_facts['distribution_major_version'] | int >= 20) + and ansible_facts['distribution_major_version'] | int >= 20) or + ansible_facts['distribution'] == 'Alpine' diff --git a/tests/tests_additional_packages.yml b/tests/tests_additional_packages.yml index b5955030..fc0bbe0c 100644 --- a/tests/tests_additional_packages.yml +++ b/tests/tests_additional_packages.yml @@ -10,6 +10,8 @@ openssh-keycat {% elif ansible_facts['os_family'] == 'Suse' %} openssh-helpers + {% elif ansible_facts['os_family'] == 'Alpine' %} + openssh-sk-helper {% else %} openssh-tests {% endif %} diff --git a/tests/tests_all_options.yml b/tests/tests_all_options.yml index 56e0e835..08bd0baa 100644 --- a/tests/tests_all_options.yml +++ b/tests/tests_all_options.yml @@ -54,6 +54,17 @@ - not __ssh_is_ostree | bool changed_when: true + - name: Make sure manual pages and bash are installed on Alpine + ansible.builtin.package: + name: + - mandoc + - man-pages + - openssh-doc + - bash + state: present + when: + - ansible_facts['distribution'] == "Alpine" + - name: Make sure manual pages, gawk and bash are installed package: name: @@ -65,6 +76,8 @@ state: present use: "{{ (__ssh_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + when: + - ansible_facts['distribution'] != "Alpine" - name: Check if ssh_config man page is available command: man -w ssh_config @@ -79,6 +92,7 @@ - name: Get list of options from manual page shell: >- set -o pipefail && man ssh_config \ + | sed 's/\x08.//g' \ | grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \ | grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \ | awk '{ print $1 }' \ diff --git a/tests/tests_no_skip_defaults.yml b/tests/tests_no_skip_defaults.yml index f34fd892..170d21bf 100644 --- a/tests/tests_no_skip_defaults.yml +++ b/tests/tests_no_skip_defaults.yml @@ -13,6 +13,8 @@ (ansible_facts['distribution'] in ['RedHat', 'CentOS'] and ansible_facts['distribution_version'] | int >= 8) %} Include /etc/ssh/ssh_config.d/*.conf + {% elif ansible_facts['os_family'] == 'Alpine' %} + Include /etc/ssh/ssh_config.d/ {% else %} GSSAPIAuthentication yes {% endif %} diff --git a/vars/Alpine.yml b/vars/Alpine.yml new file mode 100644 index 00000000..ac54f6c0 --- /dev/null +++ b/vars/Alpine.yml @@ -0,0 +1,9 @@ +--- +__ssh_packages: ['openssh-client-default'] + +__ssh_supports_drop_in: true +__ssh_drop_in_name: "00-ansible" + +# This default lists the main configuration file defaults +__ssh_defaults: + Include: /etc/ssh/ssh_config.d/*.conf diff --git a/vars/Ubuntu_26.yml b/vars/Ubuntu_26.yml new file mode 100644 index 00000000..f54ba781 --- /dev/null +++ b/vars/Ubuntu_26.yml @@ -0,0 +1,15 @@ +--- +__ssh_packages: ['openssh-client'] + +# This system supports drop in directory so defaults are adjusted +__ssh_supports_drop_in: true +__ssh_drop_in_name: "00-ansible" + +# This default lists the main configuration file defaults +__ssh_defaults: + Include: /etc/ssh/ssh_config.d/*.conf + Host: + - Condition: "*" + SendEnv: LANG LC_* COLORTERM NO_COLOR + HashKnownHosts: true + GSSAPIAuthentication: true