Skip to content

Commit e16e612

Browse files
chore: fix yamllint violations in automatus CI workflows
Fix all yamllint violations (26 per file) in the automatus-debian12 and automatus-ubuntu2204 GitHub Actions workflow files. Changes (formatting only, no functional changes): - Fix bracket spacing on branch filters - Break long apt-get/apt install commands with line continuations - Break long shell commands (git, python3, podman, wget, test scripts) using block scalars with line continuations - Move inline version comments from uses: lines to comment lines above to keep uses: references under 99 characters - Fold long if: expressions using >- YAML scalars - Fold long env values using >- YAML scalars - Rewrap long comments to fit within 99 characters - Shorten long step name text Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
1 parent 48f66b1 commit e16e612

2 files changed

Lines changed: 374 additions & 112 deletions

File tree

Lines changed: 187 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
name: Automatus Debian 12
22
on:
33
pull_request:
4-
branches: [ master, 'stabilization*' ]
4+
branches: [master, 'stabilization*']
55
concurrency:
6-
group: ${{ github.workflow }}-${{ github.event.number || github.run_id }}
6+
group: >-
7+
${{ github.workflow }}-${{
8+
github.event.number || github.run_id }}
79
cancel-in-progress: true
810
env:
911
DATASTREAM: ssg-debian12-ds.xml
@@ -13,32 +15,65 @@ jobs:
1315
runs-on: ubuntu-22.04
1416
steps:
1517
- name: Install Deps
16-
run: sudo apt-get update && sudo apt-get install -y cmake ninja-build python3-yaml python3-jinja2 git python3-deepdiff python3-requests jq python3-pip libxml2-utils xsltproc ansible-lint wget libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python3 swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev librpm-dev g++ libyaml-dev libxmlsec1-dev libxmlsec1-openssl
18+
run: |
19+
sudo apt-get update && sudo apt-get install -y \
20+
cmake ninja-build python3-yaml \
21+
python3-jinja2 git python3-deepdiff \
22+
python3-requests jq python3-pip \
23+
libxml2-utils xsltproc ansible-lint wget \
24+
libdbus-1-dev libdbus-glib-1-dev \
25+
libcurl4-openssl-dev libgcrypt20-dev \
26+
libselinux1-dev libxslt1-dev \
27+
libgconf2-dev libacl1-dev libblkid-dev \
28+
libcap-dev libxml2-dev libldap2-dev \
29+
libpcre3-dev python3 swig \
30+
libxml-parser-perl libxml-xpath-perl \
31+
libperl-dev libbz2-dev librpm-dev g++ \
32+
libyaml-dev libxmlsec1-dev \
33+
libxmlsec1-openssl
1734
- name: Install deps python
1835
run: pip3 install gitpython xmldiff lxml lxml-stubs requests
1936
- name: Checkout
20-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
37+
# actions/checkout v4
38+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2139
with:
2240
fetch-depth: 0
2341
- name: Checkout (CTF)
24-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
42+
# actions/checkout v4
43+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
2544
with:
2645
repository: ComplianceAsCode/content-test-filtering
2746
path: ctf
2847
# https://github.com/actions/checkout/issues/766
2948
- name: Set git safe directory
30-
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
49+
run: >-
50+
git config --global --add safe.directory
51+
"$GITHUB_WORKSPACE"
3152
- name: Find forking point
3253
env:
3354
BASE_BRANCH: ${{ github.base_ref }}
34-
run: echo "FORK_POINT=$(git merge-base origin/$BASE_BRANCH ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT
55+
run: |
56+
FORK_POINT=$(git merge-base \
57+
origin/$BASE_BRANCH \
58+
${{ github.event.pull_request.head.sha }})
59+
echo "FORK_POINT=$FORK_POINT" >> $GITHUB_OUTPUT
3560
id: fork_point
3661
- name: Detect content changes in the PR
37-
run: python3 ./ctf/content_test_filtering.py pr --base ${{ steps.fork_point.outputs.FORK_POINT }} --remote_repo ${{ github.server_url }}/${{ github.repository }} --verbose --rule --output json ${{ github.event.pull_request.number }} > output.json
62+
run: |
63+
python3 ./ctf/content_test_filtering.py pr \
64+
--base ${{ steps.fork_point.outputs.FORK_POINT }} \
65+
--remote_repo \
66+
${{ github.server_url }}/${{ github.repository }} \
67+
--verbose --rule --output json \
68+
${{ github.event.pull_request.number }} \
69+
> output.json
3870
- name: Test if there are no content changes
39-
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
71+
run: >-
72+
echo "CTF_OUTPUT_SIZE=$(stat --printf="%s"
73+
output.json)" >> $GITHUB_OUTPUT
4074
id: ctf
41-
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
75+
# actions/upload-artifact v4
76+
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
4277
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
4378
with:
4479
name: output.json
@@ -49,12 +84,15 @@ jobs:
4984
- name: Get product attribute
5085
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
5186
id: product
52-
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
87+
# notiz-dev/github-action-json-property v0.2.0
88+
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8
5389
with:
5490
path: 'output.json'
5591
prop_path: 'product'
5692
- name: Download OpenSCAP
57-
run: wget https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
93+
run: |
94+
wget \
95+
https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
5896
- name: Extract OpenSCAP
5997
run: tar xf openscap-1.3.10.tar.gz
6098
- name: Build OpenSCAP
@@ -65,7 +103,8 @@ jobs:
65103
- name: Build product
66104
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
67105
run: ./build_product debian12
68-
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
106+
# actions/upload-artifact v4
107+
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
69108
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
70109
with:
71110
name: ${{ env.DATASTREAM }}
@@ -76,19 +115,38 @@ jobs:
76115
runs-on: ubuntu-22.04
77116
steps:
78117
- name: Install Deps
79-
run: sudo apt update && sudo apt install -y cmake ninja-build libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman wget libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python3 swig libxml-parser-perl libxml-xpath-perl libperl-dev libbz2-dev librpm-dev g++ libyaml-dev libxmlsec1-dev libxmlsec1-openssl
118+
run: |
119+
sudo apt update && sudo apt install -y \
120+
cmake ninja-build libxml2-utils xsltproc \
121+
python3-jinja2 python3-yaml ansible-lint \
122+
podman wget \
123+
libdbus-1-dev libdbus-glib-1-dev \
124+
libcurl4-openssl-dev libgcrypt20-dev \
125+
libselinux1-dev libxslt1-dev \
126+
libgconf2-dev libacl1-dev libblkid-dev \
127+
libcap-dev libxml2-dev libldap2-dev \
128+
libpcre3-dev python3 swig \
129+
libxml-parser-perl libxml-xpath-perl \
130+
libperl-dev libbz2-dev librpm-dev g++ \
131+
libyaml-dev libxmlsec1-dev \
132+
libxmlsec1-openssl
80133
- name: Checkout
81-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
134+
# actions/checkout v4
135+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
82136
- name: Get cached CTF output
83-
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
137+
# actions/download-artifact v4
138+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
84139
id: get_ctf_output
85140
with:
86141
name: output.json
87-
# continue even if the file is unavailable that
88-
# means there are no changes detected by CTF in the previous job
142+
# continue even if the file is unavailable;
143+
# that means there are no changes detected
144+
# by CTF in the previous job
89145
continue-on-error: true
90146
- name: Download OpenSCAP
91-
run: wget https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
147+
run: |
148+
wget \
149+
https://github.com/OpenSCAP/openscap/releases/download/1.3.10/openscap-1.3.10.tar.gz
92150
- name: Extract OpenSCAP
93151
run: tar xf openscap-1.3.10.tar.gz
94152
- name: Build OpenSCAP
@@ -97,99 +155,172 @@ jobs:
97155
cmake -Bbuild -DCMAKE_INSTALL_PREFIX=/usr .
98156
sudo cmake --build build --target install
99157
- name: Test if there are no content changes
100-
if: ${{ steps.get_ctf_output.outcome == 'success' }}
101-
run: echo "CTF_OUTPUT_SIZE=$(stat --printf="%s" output.json)" >> $GITHUB_OUTPUT
158+
if: >-
159+
${{ steps.get_ctf_output.outcome == 'success' }}
160+
run: >-
161+
echo "CTF_OUTPUT_SIZE=$(stat --printf="%s"
162+
output.json)" >> $GITHUB_OUTPUT
102163
id: ctf
103164
- name: Print changes to content detected if any
104-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
165+
if: >-
166+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
105167
run: cat output.json
106168
- name: Generate id_rsa key
107-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
169+
if: >-
170+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
108171
run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa
109172
- name: Build test suite container
110-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
111-
run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-debian12
173+
if: >-
174+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
175+
run: |
176+
podman build \
177+
--build-arg \
178+
"CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" \
179+
-t ssg_test_suite \
180+
-f test_suite-debian12
112181
working-directory: ./Dockerfiles
113182
- name: Get oscap-ssh
114-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
183+
if: >-
184+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
115185
run: |
116186
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-ssh
117187
sudo chmod 755 oscap-ssh
118188
sudo mv -v oscap-ssh /usr/local/bin
119189
sudo chown root:root /usr/local/bin/oscap-ssh
120190
rm -f oscap-ssh
121191
- name: Get rule ids to be tested
122-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
192+
if: >-
193+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
123194
id: rules
124-
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
195+
# notiz-dev/github-action-json-property v0.2.0
196+
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8
125197
with:
126198
path: 'output.json'
127199
prop_path: 'rules'
128200
- name: Get product attribute
129-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
201+
if: >-
202+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
130203
id: product
131-
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
204+
# notiz-dev/github-action-json-property v0.2.0
205+
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8
132206
with:
133207
path: 'output.json'
134208
prop_path: 'product'
135209
- name: Get bash attribute
136-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
210+
if: >-
211+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
137212
id: bash
138-
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
213+
# notiz-dev/github-action-json-property v0.2.0
214+
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8
139215
with:
140216
path: 'output.json'
141217
prop_path: 'bash'
142218
- name: Get ansible attribute
143-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
219+
if: >-
220+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
144221
id: ansible
145-
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8 # v0.2.0
222+
# notiz-dev/github-action-json-property v0.2.0
223+
uses: notiz-dev/github-action-json-property@a5a9c668b16513c737c3e1f8956772c99c73f6e8
146224
with:
147225
path: 'output.json'
148226
prop_path: 'ansible'
149-
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
150-
if: ${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
227+
# actions/download-artifact v4
228+
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
229+
if: >-
230+
${{ steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
151231
with:
152232
name: ${{ env.DATASTREAM }}
153233
- name: Run tests in a container - Bash
154-
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
155-
run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
234+
if: >-
235+
${{steps.bash.outputs.prop == 'True'
236+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
237+
run: |
238+
tests/test_rule_in_container.sh \
239+
--no-make-applicable-in-containers \
240+
--dontclean \
241+
--logdir logs_bash \
242+
--remediate-using bash \
243+
--name ssg_test_suite \
244+
--datastream $DATASTREAM \
245+
${{join(fromJSON(steps.rules.outputs.prop))}}
156246
env:
157-
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified"
247+
ADDITIONAL_TEST_OPTIONS: >-
248+
--duplicate-templates
249+
--remove-fips-certified
158250
- name: Check for ERROR in logs
159-
if: ${{steps.bash.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
251+
if: >-
252+
${{steps.bash.outputs.prop == 'True'
253+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
160254
run: grep -q "^ERROR" logs_bash/test_suite.log
161255
id: check_results_bash
162-
# when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file
163-
# and this means tests finished successfully without errors. So the job needs to keep going.
164-
# By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use
165-
# it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead.
256+
# when grep returns 1 means it didn't find the
257+
# ^ERROR string in the test_suite.log file and
258+
# this means tests finished successfully without
259+
# errors. So the job needs to keep going.
260+
# By using continue-on-error: true the
261+
# "conclusion" parameter is set to true so it's
262+
# not possible to use it to determine whether
263+
# the task has failed or succeed. The "outcome"
264+
# parameter has to be used instead.
166265
# See the step below
167266
continue-on-error: true
168267
- name: Upload logs in case of failure
169-
if: ${{steps.bash.outputs.prop == 'True' && steps.check_results_bash.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
170-
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
268+
if: >-
269+
${{steps.bash.outputs.prop == 'True'
270+
&& steps.check_results_bash.outcome == 'success'
271+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
272+
# actions/upload-artifact v4
273+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
171274
with:
172275
name: logs_bash
173276
path: logs_bash/
174277
- name: Run tests in a container - Ansible
175-
if: ${{ steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
176-
run: tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_ansible --remediate-using ansible --name ssg_test_suite --datastream $DATASTREAM ${{join(fromJSON(steps.rules.outputs.prop))}}
278+
if: >-
279+
${{ steps.ansible.outputs.prop == 'True'
280+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
281+
run: |
282+
tests/test_rule_in_container.sh \
283+
--no-make-applicable-in-containers \
284+
--dontclean \
285+
--logdir logs_ansible \
286+
--remediate-using ansible \
287+
--name ssg_test_suite \
288+
--datastream $DATASTREAM \
289+
${{join(fromJSON(steps.rules.outputs.prop))}}
177290
env:
178-
ADDITIONAL_TEST_OPTIONS: "--duplicate-templates --remove-fips-certified --product debian12"
291+
ADDITIONAL_TEST_OPTIONS: >-
292+
--duplicate-templates
293+
--remove-fips-certified
294+
--product debian12
179295
- name: Check for ERROR in logs
180-
if: ${{steps.ansible.outputs.prop == 'True' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
296+
if: >-
297+
${{steps.ansible.outputs.prop == 'True'
298+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
181299
run: grep -q "^ERROR" logs_ansible/test_suite.log
182300
id: check_results_ansible
183301
continue-on-error: true
184302
- name: Upload logs in case of failure
185-
if: ${{ steps.ansible.outputs.prop == 'True' && steps.check_results_ansible.outcome == 'success' && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
186-
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
303+
if: >-
304+
${{ steps.ansible.outputs.prop == 'True'
305+
&& steps.check_results_ansible.outcome == 'success'
306+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
307+
# actions/upload-artifact v4
308+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
187309
with:
188310
name: logs_ansible
189311
path: logs_ansible/
190-
- name: Fail in case of ERROR present in logs_bash/test_suite.log or logs_ansible/test_suite.log
191-
if: ${{ (steps.check_results_bash.outcome == 'success' || steps.check_results_ansible.outcome == 'success') && steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
312+
- name: Fail if ERROR in test logs
313+
if: >-
314+
${{ (steps.check_results_bash.outcome == 'success'
315+
|| steps.check_results_ansible.outcome == 'success')
316+
&& steps.ctf.outputs.CTF_OUTPUT_SIZE != '0' }}
192317
run: |
193-
[[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - "
194-
[[ -f logs_ansible/test_suite.log ]] && echo "---------Ansible Remediation Logs---------" && cat logs_ansible/test_suite.log | grep -v "DEBUG - "
318+
[[ -f logs_bash/test_suite.log ]] \
319+
&& echo "---Bash Remediation Logs---" \
320+
&& cat logs_bash/test_suite.log \
321+
| grep -v "DEBUG - "
322+
[[ -f logs_ansible/test_suite.log ]] \
323+
&& echo "---Ansible Remediation Logs---" \
324+
&& cat logs_ansible/test_suite.log \
325+
| grep -v "DEBUG - "
195326
exit 1

0 commit comments

Comments
 (0)