ci: Add config file for CodeRabbit with custom rules

[spetrosi]

Sourcery that we currently use cannot read documentation files and best
practices, it's rather a refactoring tool.
So I want to introduce CodeRabbit that allows creating .coderabbit.yaml with
custom rules and conventions.

Signed-off-by: Sergei Petrosian spetrosi@redhat.com

Summary by Sourcery

CI:

• Configure CodeRabbit review settings, pre-merge title/description checks, and path-specific review instructions for Ansible tasks, tests, templates, variables, Python code, and documentation.

[sourcery-ai]

Reviewer's Guide

Adds a new CodeRabbit configuration file (.coderabbit.yaml) that defines review behavior, disables non-essential features, enforces PR title/description conventions, and encodes detailed, path-specific review rules aligned with linux-system-roles best practices (especially for Ansible tasks, tests, templates, variables, and Python code).

File-Level Changes

Change	Details	Files
Introduce CodeRabbit configuration with conservative defaults and disabled auto/"fun" features for PR reviews.	Create .coderabbit.yaml with schema reference and repository-level management note. Disable chat art, poems, fortunes, auto labels/reviewers, request-changes workflow, sequence diagrams, effort estimation, suggested labels, and high-level summary walkthroughs. Disable finishing-touches unit test suggestions to avoid automatic post-processing of reviews.	.coderabbit.yaml
Enforce repository-wide PR metadata conventions via CodeRabbit pre-merge checks.	Add title pre_merge_check that warns when PR titles do not follow Conventional Commits, delegating allowed types to .commitlintrc.js. Add custom description-format check that warns when the PR body does not follow the template structure from .github/pull_request_template.md (Enhancement/Feature, Reason, Result, optional issue tracker tickets). Document examples of compliant PR titles and descriptions inside the configuration for reviewer reference.	.coderabbit.yaml
Define path-based review instructions to encode linux-system-roles best practices, mainly for Ansible content and tests.	For tasks//*.yml, specify patterns for parametrized no_log usage, OSTree-compatible package installation using ansible.builtin.package with conditional use:, avoidance of third-party collections, correct FQCN for other roles, idempotency, check-mode behavior, and mandatory test coverage for new task logic. For handlers//.yml, require no_log to be parametrized via trustee_client_secure_logging when dealing with sensitive data. For tests/tests_.yml, require invocation via a centrally managed include_tasks wrapper, emphasize idempotent and assert-based verification, and coverage of success/failure scenarios. For templates//*.j2, require standardized headers (ansible_managed comment followed by system_role:trustee_client fingerprint). For defaults//.yml and vars/**/.yml, enforce trustee_client_/_trustee_client naming conventions, location of user-facing vs internal vars, and documentation requirements for new defaults in README.md. For **/*.py, require PEP 8 compliance, Black formatting, and running tox -e black,flake8 before commit. For README.md, require documentation and examples for any new user-facing variables.	.coderabbit.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The path_instructions glob tasks/**/*.yml will not match tasks/main.yml in many glob implementations; consider adding an explicit tasks/*.yml pattern if you want the core tasks files covered by these rules.
• Several instructions are hardcoded to the trustee_client_ naming (variables, role name, examples); if this config is intended to be shared across multiple linux-system-roles, consider parameterizing or generalizing these references to avoid misleading guidance in other roles.
• The review instructions mention enforcing test coverage and documentation updates for new variables and tasks, while the CodeRabbit finishing_touches.unit_tests feature is disabled; consider aligning these to avoid conflicting expectations for contributors and reviewers.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `path_instructions` glob `tasks/**/*.yml` will not match `tasks/main.yml` in many glob implementations; consider adding an explicit `tasks/*.yml` pattern if you want the core tasks files covered by these rules.
- Several instructions are hardcoded to the `trustee_client_` naming (variables, role name, examples); if this config is intended to be shared across multiple linux-system-roles, consider parameterizing or generalizing these references to avoid misleading guidance in other roles.
- The review instructions mention enforcing test coverage and documentation updates for new variables and tasks, while the CodeRabbit `finishing_touches.unit_tests` feature is disabled; consider aligning these to avoid conflicting expectations for contributors and reviewers.

## Individual Comments

### Comment 1
<location path=".coderabbit.yaml" line_range="203-204" />
<code_context>
+    # ========================================
+    # Variable Definitions - defaults/
+    # ========================================
+    - path: "defaults/**/*.yml"
+      instructions: |
+        - All variables MUST be prefixed with `trustee_client_`
+        - All variables MUST be stored in the file defaults/main.yml, Ansible
+          doesn't include variables from other files.
+        - These are user-facing API variables
</code_context>
<issue_to_address>
**suggestion:** Qualify the note about Ansible loading variables from defaults files to avoid confusion

The statement about Ansible "not including variables from other files" is only true in the context of `defaults/` (where only `defaults/main.yml` is auto-loaded). To avoid confusion with mechanisms like `vars_files` and `include_vars`, please reword to something like: "Ansible only auto-loads variables from defaults/main.yml" so the scope is explicit.

```suggestion
        - All variables MUST be stored in the file defaults/main.yml. Ansible
          only auto-loads variables from defaults/main.yml under defaults/.
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Qualify the note about Ansible loading variables from defaults files to avoid confusion

The statement about Ansible "not including variables from other files" is only true in the context of defaults/ (where only defaults/main.yml is auto-loaded). To avoid confusion with mechanisms like vars_files and include_vars, please reword to something like: "Ansible only auto-loads variables from defaults/main.yml" so the scope is explicit.

Suggested change

	- All variables MUST be stored in the file defaults/main.yml, Ansible
	doesn't include variables from other files.
	- All variables MUST be stored in the file defaults/main.yml. Ansible
	only auto-loads variables from defaults/main.yml under defaults/.