ci: Comply with Ansible partner certification checking [citest_skip]

.ansible-lint

@@ -20,7 +20,8 @@ exclude_paths:
   - .github/
   - .markdownlint.yaml
   - examples/roles/
+  - .collection/
 mock_roles:
-  - linux-system-roles.trustee_attestation_client
+  - linux-system-roles.trustee_client
 supported_ansible_also:
   - "2.14.0"

.github/workflows/ansible-lint.yml

@@ -22,6 +22,15 @@ jobs:
       !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) ||
         (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]')))
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        # There should be one version which is the one used by the Automation Hub gating, and
+        # one for the latest version.
+        # https://github.com/ansible-collections/partner-certification-checker/blob/main/.github/workflows/certification-reusable.yml#L108
+        versions:
+          - { ansible_lint: "24.*", ansible: "2.16.*", python: "3.12" }
+          - { ansible_lint: "26.*", ansible: "2.20.*", python: "3.13" }
     steps:
       - name: Update pip, git
         run: |
@@ -35,53 +44,17 @@ jobs:
       - name: Install tox, tox-lsr
         run: |
           set -euxo pipefail
-          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.17.1"
+          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.18.0"
 
-      - name: Convert role to collection format
-        id: collection
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.versions.python }}
+
+      - name: Convert role to collection format and run ansible-lint
         run: |
           set -euxo pipefail
-          TOXENV=collection lsr_ci_runtox
-          coll_dir=".tox/ansible_collections/$LSR_ROLE2COLL_NAMESPACE/$LSR_ROLE2COLL_NAME"
-          # cleanup after collection conversion
-          rm -rf "$coll_dir/.ansible" .tox/ansible-plugin-scan "$coll_dir/.collection"
-          # ansible-lint action requires a .git directory???
-          # https://github.com/ansible/ansible-lint/blob/main/action.yml#L45
-          mkdir -p "$coll_dir/.git"
-          meta_req_file="${{ github.workspace }}/meta/collection-requirements.yml"
-          test_req_file="${{ github.workspace }}/tests/collection-requirements.yml"
-          if [ -f "$meta_req_file" ] && [ -f "$test_req_file" ]; then
-            coll_req_file="${{ github.workspace }}/req.yml"
-            python -c 'import sys; import yaml
-          hsh1 = yaml.safe_load(open(sys.argv[1]))
-          hsh2 = yaml.safe_load(open(sys.argv[2]))
-          coll = {}
-          for item in hsh1["collections"] + hsh2["collections"]:
-            if isinstance(item, dict):
-              name = item["name"]
-              rec = item
-            else:
-              name = item  # assume string
-              rec = {"name": name}
-            if name not in coll:
-              coll[name] = rec
-          hsh1["collections"] = list(coll.values())
-          yaml.safe_dump(hsh1, open(sys.argv[3], "w"))' "$meta_req_file" "$test_req_file" "$coll_req_file"
-            echo merged "$coll_req_file"
-            cat "$coll_req_file"
-          elif [ -f "$meta_req_file" ]; then
-            coll_req_file="$meta_req_file"
-          elif [ -f "$test_req_file" ]; then
-            coll_req_file="$test_req_file"
-          else
-            coll_req_file=""
-          fi
-          echo "coll_req_file=$coll_req_file" >> $GITHUB_OUTPUT
-
-      - name: Run ansible-lint
-        uses: ansible/ansible-lint@v26
-        with:
-          working_directory: ${{ github.workspace }}/.tox/ansible_collections/${{ env.LSR_ROLE2COLL_NAMESPACE }}/${{ env.LSR_ROLE2COLL_NAME }}
-          requirements_file: ${{ steps.collection.outputs.coll_req_file }}
-        env:
-          ANSIBLE_COLLECTIONS_PATH: ${{ github.workspace }}/.tox
+          LSR_ANSIBLE_LINT_DEP="ansible-lint==${{ matrix.versions.ansible_lint }}" \
+          LSR_ANSIBLE_LINT_ANSIBLE_DEP="ansible-core==${{ matrix.versions.ansible }}" \
+          tox -x testenv:ansible-lint-collection.basepython="python${{ matrix.versions.python }}" \
+          -e collection,ansible-lint-collection

.github/workflows/ansible-managed-var-comment.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Install tox, tox-lsr
         run: |
           set -euxo pipefail
-          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.17.1"
+          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.18.0"
 
       - name: Run ansible-plugin-scan
         run: |

.github/workflows/ansible-test.yml

@@ -22,6 +22,17 @@ jobs:
       !((github.event_name == 'pull_request' && contains(github.event.pull_request.title, '[citest_skip]')) ||
         (github.event_name == 'push' && contains(github.event.head_commit.message, '[citest_skip]')))
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false  # get all results, not just the first failure
+      matrix:
+        versions:
+          - { ansible: "2-14", python: "3.9" }
+          - { ansible: "2-16", python: "3.11" }
+          - { ansible: "2-17", python: "3.12" }
+          - { ansible: "2-18", python: "3.12" }
+          - { ansible: "2-19", python: "3.13" }
+          - { ansible: "2-20", python: "3.13" }
+          - { ansible: "milestone", python: "3.13" }
     steps:
       - name: Update pip, git
         run: |
@@ -36,16 +47,15 @@ jobs:
       - name: Install tox, tox-lsr
         run: |
           set -euxo pipefail
-          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.17.1"
+          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.18.0"
 
-      - name: Convert role to collection format
-        run: |
-          set -euxo pipefail
-          TOXENV=collection lsr_ci_runtox
-
-      - name: Run ansible-test
-        uses: ansible-community/ansible-test-gh-action@release/v1
+      - name: Set up Python
+        uses: actions/setup-python@v6
         with:
-          testing-type: sanity  # wokeignore:rule=sanity
-          ansible-core-version: stable-2.17
-          collection-src-directory: ${{ github.workspace }}/.tox/ansible_collections/${{ env.LSR_ROLE2COLL_NAMESPACE }}/${{ env.LSR_ROLE2COLL_NAME }}
+          python-version: ${{ matrix.versions.python }}
+
+      - name: Convert role to collection format and run ansible-test
+        run: |
+          tox \
+            -x testenv:ansible-test-${{ matrix.versions.ansible }}.basepython="python${{ matrix.versions.python }}" \
+            -e collection,ansible-test-${{ matrix.versions.ansible }}

.github/workflows/qemu-kvm-integration-tests.yml

@@ -110,7 +110,7 @@ jobs:
           python3 -m pip install --upgrade pip
           sudo apt update
           sudo apt install -y --no-install-recommends git ansible-core genisoimage qemu-system-x86
-          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.17.1"
+          pip3 install "git+https://github.com/linux-system-roles/tox-lsr@3.18.0"
 
       # HACK: Drop this when moving this workflow to 26.04 LTS
       - name: Update podman to 5.x for compatibility with bootc-image-builder's podman 5

.github/workflows/tft.yml

@@ -181,7 +181,7 @@ jobs:
           tf_scope: private
           api_key: ${{ secrets.TF_API_KEY_RH }}
           update_pull_request_status: false
-          tmt_plan_filter: "tag:playbooks_parallel,trustee_attestation_client"
+          tmt_plan_filter: "tag:playbooks_parallel,trustee_client"
 
       - name: Set final commit status
         uses: myrotvorets/set-commit-status-action@master

README.md

@@ -1,6 +1,6 @@
 # trustee_attestation_client
 
-[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_client/actions/workflows/woke.yml)
+[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_client/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_client/actions/workflows/woke.yml)
 
 ![trustee_attestation_client](https://github.com/linux-system-roles/trustee_attestation_client/workflows/tox/badge.svg)
 

contributing.md

@@ -1,4 +1,4 @@
-# Contributing to the trustee_attestation_client Linux System Role
+# Contributing to the trustee_client Linux System Role
 
 ## Where to start
 
@@ -12,12 +12,12 @@ This has all of the common information that all role developers need:
 * How to create git commits and submit pull requests
 
 **Bugs and needed implementations** are listed on
-[Github Issues](https://github.com/linux-system-roles/trustee_attestation_client/issues).
+[Github Issues](https://github.com/linux-system-roles/trustee_client/issues).
 Issues labeled with
-[**help wanted**](https://github.com/linux-system-roles/trustee_attestation_client/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
+[**help wanted**](https://github.com/linux-system-roles/trustee_client/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
 are likely to be suitable for new contributors!
 
-**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_attestation_client), using
+**Code** is managed on [Github](https://github.com/linux-system-roles/trustee_client), using
 [Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
 
 ## Running CI Tests Locally

plans/README-plans.md

@@ -1,6 +1,6 @@
 # Introduction CI Testing Plans
 
-Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) GitHub workflow.
+Linux System Roles CI runs [tmt](https://tmt.readthedocs.io/en/stable/index.html) test plans in [Testing farm](https://docs.testing-farm.io/Testing%20Farm/0.1/index.html) with the [tft.yml](https://github.com/linux-system-roles/trustee_client/blob/main/.github/workflows/tft.yml) GitHub workflow.
 
 The `plans/test_playbooks_parallel.fmf` plan is a test plan that runs test playbooks in parallel on multiple managed nodes.
 `plans/test_playbooks_parallel.fmf` is generated centrally from `https://github.com/linux-system-roles/.github/`.
@@ -16,7 +16,7 @@ The `plans/test_playbooks_parallel.fmf` plan does the following steps:
 2. Does the required preparation on systems.
 3. For the given role and the given PR, runs the general test from [test.sh](https://github.com/linux-system-roles/tft-tests/blob/main/tests/general/test.sh).
 
-The [tft.yml](https://github.com/linux-system-roles/trustee_attestation_client/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
+The [tft.yml](https://github.com/linux-system-roles/trustee_client/blob/main/.github/workflows/tft.yml) workflow runs the above plan and uploads the results to our Fedora storage for public access.
 This workflow uses Testing Farm's Github Action [Schedule tests on Testing Farm](https://github.com/marketplace/actions/schedule-tests-on-testing-farm).
 
 ## Running Tests
@@ -47,7 +47,7 @@ You can run tests locally with the `tmt try` cli or remotely in Testing Farm.
     $ TESTING_FARM_API_TOKEN=<your_api_token> \
         testing-farm request --pipeline-type="tmt-multihost" \
         --plan-filter="tag:playbooks_parallel" \
-        --git-url "https://github.com/<my_user>/trustee_attestation_client" \
+        --git-url "https://github.com/<my_user>/trustee_client" \
         --git-ref "<my_branch>" \
         --compose CentOS-Stream-9 \
         -e "SYSTEM_ROLES_ONLY_TESTS=tests_default.yml" \

plans/test_playbooks_parallel.fmf

@@ -12,7 +12,7 @@ provision:
 environment:
   # ensure versions are strings!
   SR_ANSIBLE_VER: "2.17"
-  SR_REPO_NAME: trustee_attestation_client
+  SR_REPO_NAME: trustee_client
   SR_PYTHON_VERSION: "3.12"
   SR_ONLY_TESTS: ""  # tests_default.yml
   SR_TEST_LOCAL_CHANGES: true
@@ -32,6 +32,9 @@ prepare:
       if grep -q 'CentOS Linux release 7.9' /etc/redhat-release; then
         sed -i '/^mirror/d;s/#\?\(baseurl=http:\/\/\)mirror/\1vault/' /etc/yum.repos.d/*.repo
       fi
+  - name: Ensure use of devel site for yum repos
+    script: |
+      sed -i -e 's|\.lab\.bos\.|.devel.|g' -e 's|\.eng\.bos\.|.devel.|g' /etc/yum.repos.d/*.repo
 discover:
   - name: Prepare managed node
     how: fmf

tests/tasks/run_role_with_clear_facts.yml

@@ -0,0 +1,38 @@
+---
+# DO NOT EDIT THIS FILE - managed by linux-system-roles/.github
+# Task file: clear_facts, run linux-system-roles.trustee_client.
+# Include this with include_tasks or import_tasks
+# Input:
+# - __sr_tasks_from: tasks_from to run - same as tasks_from in include_role
+# - __sr_public: export private vars from role - same as public in include_role
+# - __sr_failed_when: set to false to ignore role errors - same as failed_when in include_role
+- name: Clear facts
+  meta: clear_facts
+
+# note that you can use failed_when with import_role but not with include_role
+# so this simulates the __sr_failed_when false case
+# Q: Why do we need a separate task to run the role normally?  Why not just
+# run the role in the block and rethrow the error in the rescue block?
+# A: Because you cannot rethrow the error in exactly the same way as the role does.
+# It might be possible to exactly reconstruct ansible_failed_result but it's not worth the effort.
+- name: Run the role with __sr_failed_when false
+  when:
+    - __sr_failed_when is defined
+    - not __sr_failed_when
+  block:
+    - name: Run the role
+      include_role:
+        name: linux-system-roles.trustee_client
+        tasks_from: "{{ __sr_tasks_from | default('main') }}"
+        public: "{{ __sr_public | default(false) }}"
+  rescue:
+    - name: Ignore the failure when __sr_failed_when is false
+      debug:
+        msg: Ignoring failure when __sr_failed_when is false
+
+- name: Run the role normally
+  include_role:
+    name: linux-system-roles.trustee_client
+    tasks_from: "{{ __sr_tasks_from | default('main') }}"
+    public: "{{ __sr_public | default(false) }}"
+  when: __sr_failed_when | d(true)

tests/vars/rh_distros_vars.yml

@@ -4,17 +4,17 @@
 # file is playbooks/templates/tests/vars/rh_distros_vars.yml
 ---
 # Ansible distribution identifiers that the role treats like RHEL
-__trustee_attestation_client_rh_distros:
+__trustee_client_rh_distros:
   - AlmaLinux
   - CentOS
   - RedHat
   - Rocky
 
 # Same as above but includes Fedora
-__trustee_attestation_client_rh_distros_fedora: "{{ __trustee_attestation_client_rh_distros + ['Fedora'] }}"
+__trustee_client_rh_distros_fedora: "{{ __trustee_client_rh_distros + ['Fedora'] }}"
 
 # Use this in conditionals to check if distro is Red Hat or clone
-__trustee_attestation_client_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_attestation_client_rh_distros }}"
+__trustee_client_is_rh_distro: "{{ ansible_facts['distribution'] in __trustee_client_rh_distros }}"
 
 # Use this in conditionals to check if distro is Red Hat or clone, or Fedora
-__trustee_attestation_client_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_attestation_client_rh_distros_fedora }}"
+__trustee_client_is_rh_distro_fedora: "{{ ansible_facts['distribution'] in __trustee_client_rh_distros_fedora }}"